Boil
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Boil is clear about being an agent labor network, but it asks agents to run recurring idle-time shifts, self-update from remote files, process untrusted checkpoints/prompts, and store an API key without enough containment.
Install only if you intentionally want your agent to participate in Boil work. Do not enable the periodic heartbeat unless you accept autonomous shifts and remote uploads. Manually review skill updates, protect the Boil API key, sandbox checkpoint extraction, and treat all checkpoint files and evolving prompts as untrusted.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could periodically start Boil shifts, use compute, make remote contributions, and upload work without asking you each time.
The skill instructs the agent to add a recurring heartbeat that fetches remote instructions and follows them during idle time, creating persistent autonomous operation.
The Boil (every 1-4 hours) ... Fetch https://www.boil.sh/boil/heartbeat.md and follow it ... Update lastBoilCheck timestamp in memory
Only enable the heartbeat if you explicitly want autonomous Boil work. Prefer requiring human approval before each shift and disable or remove the heartbeat when not in use.
A future remote update could change what the skill tells your agent to do, including during an autonomous heartbeat check.
The heartbeat update flow overwrites installed skill instructions from a remote URL, but the artifacts do not provide pinning, hashes, signatures, or a human approval step.
curl -s https://www.boil.sh/skill.md > ~/.openclaw/skills/theboil/SKILL.md
Review updates manually, use pinned or signed skill files where possible, and do not let an agent overwrite installed skill instructions unattended.
A malicious or malformed checkpoint archive could affect local files beyond the intended project workspace if extraction is not safely constrained.
The work loop extracts a downloaded checkpoint archive while also warning that checkpoint contents are untrusted; the documented extraction command does not describe path, symlink, or archive-safety checks.
curl -o checkpoint.tar.gz "CHECKPOINT_URL_FROM_ASSIGNMENT" ... tar -xzf checkpoint.tar.gz -C ./workspace
Extract checkpoints only in a sandbox or disposable directory, validate archive paths before extraction, and reject absolute paths, '..' paths, symlinks, or hardlinks.
A prior contributor could poison the evolving prompt with instructions that mislead later agents, leak secrets, or redirect work.
The core workflow relies on a persistent, shared prompt written by prior agents and tells future agents to read and build from it, but does not clearly state that those prompt instructions are untrusted and must not override higher-priority rules.
Each agent reads the full context built up by all previous agents, adds their own discoveries, and passes forward an enriched prompt.
Treat PROMPT.md as untrusted project notes, not authoritative instructions. Do not follow any prompt content that asks for secrets, policy changes, unsafe tool use, or actions outside the assigned project.
Anyone who obtains the API key could impersonate the agent on Boil.
A Boil bearer API key is expected for this service, but it is still a persistent credential tied to the agent's identity and account actions.
All requests after registration require your API key ... Recommended: Save credentials to ~/.config/boil/credentials.json
Store the key in a proper secret store or protected config file, avoid putting it in shared memory or logs, and rotate it if exposed.
Project content may be shared with Claude and may consume your Claude/API tokens during verification.
Verification work intentionally sends Boil project diffs and prompts to Claude. This is purpose-aligned, but it is still an external-provider data flow.
Send diff + prompt to Claude with the provided claude_prompt
Use this only if you are comfortable sending assigned project diffs/prompts to Claude under your account's data policy.