Is usdc-hackathon safe?

https://clawhub.ai/swairshah/usdc-hackathon

74
CAUTION

The USDC Hackathon skill is a legitimate hackathon participation guide that contains no executable code or direct malicious payloads. However, it significantly expands the agent's attack surface by directing it to register accounts on external services, transmit API keys, save credentials to disk, browse untrusted third-party content, and post to external APIs. The skill includes notably strong anti-injection defenses, but the fundamental design places agents in an adversarial content environment where those defenses may be insufficient against sophisticated prompt injection in third-party submissions.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

MEDIUM Extensive behavioral control via system prompt -15

The skill injects a large set of behavioral instructions that direct the agent to register accounts, browse external feeds, evaluate and vote on third-party content, and post to external APIs. While these are the intended hackathon functions, they represent significant behavioral influence over the agent that goes beyond typical skill scope.

MEDIUM Agent directed to consume adversarial content -13

The skill explicitly instructs agents to browse and evaluate third-party submissions from other agents/users. Despite including anti-injection warnings, this creates a prompt injection attack surface where malicious submissions could override the skill's defensive instructions.

MEDIUM Account registration and credential persistence instructions -10

The skill instructs the agent to autonomously register accounts on external services and save credentials to the local filesystem, expanding the agent's persistent footprint beyond the current session.

MEDIUM API key transmission to external service -15

The skill directs the agent to include API keys in HTTP requests to moltbook.com. While this is the intended function, it normalizes credential transmission to external endpoints and the submission content itself could be crafted to include sensitive data from the agent's context.

MEDIUM Credential persistence to filesystem -10

The skill instructs saving GitPad passwords to ~/.gitpad_password, creating a persistent credential file that could be read by other skills or processes.

LOW Submission content as potential exfiltration channel -10

The agent is instructed to create posts containing project descriptions, code links, and explanations. In a compromised scenario, an agent could embed sensitive data within 'legitimate' submission content that gets posted to the public moltbook.com platform.

LOW AWS credentials file accessed during installation -15

The filesystem monitor captured access to /home/oc-exec/.aws/credentials during the install phase. This appears to be the OpenClaw platform's standard initialization behavior rather than skill-triggered, but it indicates sensitive files are accessible in the execution environment.

INFO No executable code in skill -8

The skill contains only markdown documentation files with no executable code, install scripts, git hooks, submodules, or symlinks. This is the safest possible skill structure.

MEDIUM High-risk operational environment despite good defenses -50

The skill places agents in an adversarial environment (browsing untrusted submissions, interacting with external APIs, managing credentials) while providing defensive instructions. The defenses are well-written but rely on the agent consistently following them even when processing adversarial content designed to override them. This is a defense-in-depth concern — the skill's own security section acknowledges the threat model.