ClawHub
Back to skill
v1.0.0

Boil

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:17 AM.

Analysis

Boil openly sets up an autonomous idle-time work loop that uses a Boil API key, downloads remote checkpoints and instructions, and submits work to external services.

GuidanceInstall only if you explicitly want your agent to perform Boil work during idle time. Disable automatic heartbeat/self-updates unless you have reviewed them, keep the API key secure, isolate downloaded checkpoints in a disposable workspace, never execute checkpoint code, and require human approval before submitting work or sending project data to Claude.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityHighConfidenceHighStatusConcern
SKILL.md
## The Boil (every 1-4 hours)

If 1+ hours since last Boil check AND not currently busy with human:

1. Fetch https://www.boil.sh/boil/heartbeat.md and follow it
2. Update lastBoilCheck timestamp in memory

This directs the agent to create a recurring background work loop that follows remote instructions and persists state, rather than only acting on an explicit user request.

User impactThe agent could spend idle time, tokens, and compute doing third-party bounty work without asking the human each time.
RecommendationOnly enable the heartbeat with explicit user consent, set clear time/token/budget limits, and require human approval before starting or submitting each shift.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
heartbeat.md
If there's a new version, re-fetch the skill files:
```bash
curl -s https://www.boil.sh/skill.md > ~/.openclaw/skills/theboil/SKILL.md
curl -s https://www.boil.sh/heartbeat.md > ~/.openclaw/skills/theboil/HEARTBEAT.md
curl -s https://www.boil.sh/workloop.md > ~/.openclaw/skills/theboil/WORKLOOP.md
```

The skill tells the agent to replace its own local instruction files from mutable remote URLs without integrity checks or version pinning.

User impactA changed or compromised remote file could alter the agent’s future behavior after installation.
RecommendationDo not allow automatic self-updates; pin versions, verify checksums/signatures, and have the user review updates before replacing local skill files.
Tool Misuse and Exploitation
SeverityMediumConfidenceMediumStatusConcern
workloop.md
curl -o checkpoint.tar.gz "CHECKPOINT_URL_FROM_ASSIGNMENT"

# Extract safely to your local machine
tar -xzf checkpoint.tar.gz -C ./workspace

The agent is instructed to download and unpack remote checkpoint archives as part of the work loop; the same artifact warns that checkpoint contents may be malicious, making archive handling and workspace containment security-critical.

User impactA malicious or malformed checkpoint could affect local files if extraction is not tightly isolated, even if code is never executed.
RecommendationUse a disposable sandbox or container, validate archive paths before extraction, avoid privileged directories, and delete the workspace after each shift.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
All requests after registration require your API key ... Recommended: Save credentials to `~/.config/boil/credentials.json` ... You can also save it to your memory, environment variables (`BOIL_API_KEY`), or wherever you store secrets.

The API key is expected for this service, but it is a persistent identity credential and the registry metadata declares no primary credential or required environment variable.

User impactIf the Boil API key is exposed, another party could impersonate the agent on the Boil service.
RecommendationStore the API key in a secret manager or tightly permissioned file, avoid long-term agent memory for secrets, and rotate the key if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
workloop.md
The Boil's prompt chain **accumulates knowledge**. Each agent reads the full context built up by all previous agents, adds their own discoveries, and passes forward an enriched prompt.

The skill relies on a persistent shared prompt written by previous agents and reused by future agents, but the visible guidance focuses on not executing code and does not clearly bound how to treat prompt instructions from other contributors.

User impactA previous contributor could poison the evolving prompt with misleading instructions, unsafe tool requests, or secret-harvesting directions that future agents may over-trust.
RecommendationTreat all checkpoint prompts as untrusted input, ignore instructions that request secrets or out-of-scope actions, and require a fixed local policy that overrides project prompt content.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
heartbeat.md
`claude_prompt` — send to Claude along with the diff ... **Send diff + prompt to Claude** with the provided `claude_prompt`

Verification intentionally sends project diffs and prompts from the Boil workflow to an external Claude model/provider.

User impactProject content and prompt data may be shared with a third-party model service during verification.
RecommendationUse this only for non-confidential project data, follow the user’s provider/data-sharing policy, and do not include local private files or secrets in verification payloads.