Oathe Security Badge

Is AtlasPA/openclaw-security safe?

https://github.com/AtlasPA/openclaw-security

74
CAUTION

This skill presents itself as a comprehensive security suite but attempts to download and execute 11 unverified external tools from a potentially non-existent source called 'ClawHub'. The pattern matches a trojan horse attack where malicious tools are disguised as legitimate security software.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (4)

HIGH Downloads and executes external code -40

The security.py script uses subprocess to execute 'clawhub install' commands that download and install 11 external security tools from an unverified source. This poses significant security risks as the external tools could contain malicious code.

HIGH Trojan horse security suite pattern -70

This skill presents itself as a comprehensive security solution that installs 11 different 'security' tools with names like 'warden', 'sentry', 'arbiter'. This is a classic trojan horse pattern where malicious tools are disguised as legitimate security software. The git clone failure suggests the repositories may not exist.

MEDIUM External tool installation risk -25

The skill attempts to install multiple external tools that claim access to sensitive data including 'secret scanning', 'credential lifecycle', and 'audit trail' capabilities. These tools could potentially access and exfiltrate sensitive information.

MEDIUM Multiple external tool installations -20

The script attempts to install 11 different external security tools via the 'clawhub' installer, significantly expanding the attack surface by introducing multiple unverified codebases.