Back to skill

Security audit

Pet Me Master - Autonomous Aavegotchi Petting

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent with its stated purpose, but it can reuse broad local credentials, keep scheduling itself, and submit Bankr blockchain transactions automatically.

Install only if you deliberately want autonomous Bankr wallet automation for Aavegotchi petting. Use dry-run and status commands first, prefer dedicated Bankr and Telegram credentials, avoid shared Telegram chats, and confirm how to list and cancel at/cron/background jobs before enabling fallback or recurring automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation declares required binaries and environment variables but does not declare explicit permissions despite clearly requiring shell execution, network access, environment access, and filesystem reads. This weakens user consent and platform enforcement because the skill can perform materially sensitive actions, including sending on-chain transactions and reading local config or API keys, without transparent permission scoping.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill searches for a Bankr API key in unrelated user-level sources, including systemd user environment and other Bankr skill config files under ~/.openclaw. This crosses skill boundaries and can silently appropriate credentials not explicitly granted to this skill, enabling unauthorized transaction submission or wallet queries through another skill's secrets.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The Telegram bot token is pulled from global OpenClaw configuration rather than this skill's own config boundary. That allows this skill to reuse a bot credential the user may have intended for unrelated automation, creating cross-skill secret exposure and unauthorized messaging capability.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script searches for a Telegram bot token not only in its own explicit environment variables but also in the user's systemd user environment and a separate ~/.openclaw/openclaw.json file. That broad secret discovery behavior exceeds the narrow reminder function, can silently appropriate unrelated credentials, and increases the chance of sending messages with the wrong bot or using secrets the user did not intend this skill to access.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script searches for Telegram credentials not only in its own environment but also in the user systemd environment and a separate ~/.openclaw/openclaw.json file via recursive token discovery. For a reminder notifier, this is broader credential access than necessary and increases the chance of silently using unrelated secrets or crossing tool boundaries without user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes an 'automatic fallback petting' flow that can cause the system to submit a blockchain transaction if the user does not respond, but it does not clearly warn that this is an autonomous on-chain action with wallet/account consequences. In a skill that routes actions through Bankr for signing and submission, this omission can mislead users into enabling unattended transaction behavior they may not fully understand.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states it can send a reminder and then perform a fallback auto-pet transaction if the user does not reply, but it does not present this as a prominent upfront warning. In this context, the action is an automated on-chain transaction, so lack of explicit disclosure can lead to unauthorized or unexpected blockchain activity, gas expenditure, and unintended state changes.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill routes reminders and activity notifications to Telegram chat IDs but does not clearly warn that operational data such as wallet-linked activity and petted IDs may be sent to an external messaging service. This creates a privacy and metadata leakage risk, especially if chat IDs are misconfigured or shared among multiple people.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guide defines broad natural-language triggers such as "pet gotchis" and "pet all when ready" that can overlap with ordinary conversation while mapping to scripts that perform live account-affecting actions. In an agent context, ambiguous trigger phrases increase the risk of unintended execution, especially because the skill is designed to automate blockchain interactions rather than just provide information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage guide presents petting commands as routine shell commands without warning users that they initiate live external actions through Bankr and may affect on-chain accounts or associated automation. Missing safety disclosure is dangerous in this context because users may treat the commands as harmless status utilities and trigger unintended transactions or jobs tied to their assets.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script silently launches a background subprocess to schedule future checks, creating persistence/continued execution beyond the immediate command without explicit user-facing notice or consent at the moment it happens. In an agent skill that can trigger blockchain actions and Telegram notifications, this hidden side effect increases operational risk because users may not realize the skill continues running and may later perform additional automated actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code harvests API keys from several local locations without any user-facing disclosure, making secret use opaque. In an agent-skill ecosystem, silent credential discovery materially increases the risk that users authorize behavior without understanding which identities or accounts will be used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This function submits signed transaction requests to an external Bankr API without any visible warning or consent mechanism in the library. Because the skill's purpose is blockchain interaction, silent transmission here is especially dangerous: it can trigger real on-chain actions using discovered credentials with little transparency.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The wallet lookup sends a prompt to the Bankr API without visible disclosure, revealing that the agent is querying an external service and relying on the API key for identity resolution. While the prompt itself is simple, the hidden network call can surprise users and may leak account linkage or metadata to a third party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Telegram token is sourced from environment and config without visible disclosure, so the skill may unexpectedly gain message-sending capability. Combined with reminder functionality, this can be abused for unauthorized notifications or covert signaling via a bot the user did not intend to share with this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function transmits messages to Telegram without any visible warning in the file, creating an undisclosed outbound communication channel. In agent settings, such channels can be abused for data exfiltration, spam, or covert notifications even if the nominal feature is a reminder.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Any natural-language input containing 'pet' is automatically routed to pet-all.sh, which is described as a mutating action, without confirmation, explicit user acknowledgment, or stronger intent validation. In a wallet/transaction automation skill, this increases the chance of accidental blockchain actions, especially because broad phrases can trigger batch behavior and the only visible safeguard is an optional dry-run flag the user must already know to supply.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The bot token is collected from ambient environment and local system/user files without any user-facing notice or consent flow. In an agent skill context, this is more dangerous because skills are expected to operate within declared boundaries; silently pulling credentials from unrelated stores undermines least privilege and can lead to unintended cross-application secret use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the wallet address and a list of discovered gotchi IDs to a Telegram chat, which discloses operational and potentially privacy-sensitive asset information to an external messaging platform. Even if intended for convenience, this creates unnecessary exposure if the chat ID is misconfigured, the Telegram account or group is compromised, or the bot transport is observable by unauthorized parties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script accesses sensitive credentials from environment and external configuration sources without any user-facing disclosure that it will inspect those locations. In an agent skill context, hidden secret discovery is risky because users may not expect a notification helper to enumerate other apps' stored Telegram bot tokens.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script transmits arbitrary message content to Telegram over the network without any explicit privacy notice or consent checkpoint. In a reminder/automation skill, this can expose user content, identifiers, or operational details to a third-party service unexpectedly.

Session Persistence

Medium
Category
Rogue Agent
Content
echo "Auto-pet fallback: $(date -d "@$NEXT_FALLBACK" '+%Y-%m-%d %H:%M UTC')"
echo ""

# Create reminder job via OpenClaw cron
REMINDER_NAME="Gotchi Petting Reminder - $(date -d "@$NEXT_REMINDER" '+%b %d, %H:%M UTC')"

cat > /tmp/reminder-job.json << EOF
Confidence
93% confidence
Finding
Create reminder job via OpenClaw cron REMINDER_NAME="Gotchi Petting Reminder - $(date -d "@$NEXT_REMINDER" '+%b %d, %H:%M UTC')" cat > /tmp/reminder-job.json << EOF { "name": "$REMINDER_NAME", "s

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/send-reminder.js:76