Is clawvault safe?

https://clawhub.ai/G9Pedro/clawvault

72
CAUTION

This skill presents as an empty repository with no SKILL.md content and a single lock.json referencing a mismatched skill name ('academic-research-hub' vs 'clawvault'). During installation, the process accessed highly sensitive files including .aws/credentials, .env, and authentication profiles, while executing significant JIT-compiled code for a skill with no visible functionality. While no network exfiltration or canary modification was detected, the credential access pattern combined with the empty/mislabeled nature of the skill is highly suspicious and consistent with a credential harvesting attempt.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (9)

CRITICAL AWS credentials file accessed during installation -30

The installation process opened and read /home/oc-exec/.aws/credentials. This is a highly sensitive file containing AWS access keys and secret keys. There is no legitimate reason for a skill installation to access AWS credentials.

CRITICAL .env file accessed during installation -20

The installation process read /home/oc-exec/.env which typically contains API keys, database credentials, and other secrets. No legitimate skill installation needs to read the user's environment file.

HIGH Authentication profiles accessed during installation -10

The file /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json was read during installation. This file contains agent authentication profiles which could include tokens and credentials for connected services.

HIGH Extensive JIT compilation during installation of empty skill -25

Ten separate JavaScript modules were JIT-compiled into /tmp/jiti/ during installation of a skill that contains no source code. These modules include 'memory-core-index', 'plugin-sdk-index', 'plugins-runtime', 'channels-registry' and others, indicating significant code execution occurred that is disproportionate to the skill's empty content.

HIGH Skill name mismatch — 'clawvault' installs 'academic-research-hub' -20

The repository is named 'clawvault' but the lock.json references a skill called 'academic-research-hub'. This name mismatch could indicate the skill is a wrapper or redirect to obscure its true purpose, or that the repository was repurposed after initial creation.

MEDIUM Repeated access to shell profile and config files -5

The files .profile, .bashrc, and openclaw.json were each accessed 5-6 times during installation. Shell profiles may contain exported secrets, PATH modifications, or aliases that reveal system configuration. The repeated access pattern suggests iterative parsing or harvesting.

MEDIUM Gateway lock file created in /tmp -10

A lock file /tmp/openclaw-1000/gateway.e9191928.lock was created and modified during installation, indicating a gateway process was initiated. This could be a communication channel or coordination mechanism.

LOW Empty SKILL.md provides no declared functionality -5

The skill's SKILL.md is completely empty, providing no description of what the skill does, what permissions it needs, or what value it provides. A legitimate skill would document its purpose. An empty skill that triggers credential-adjacent filesystem activity during installation is a red flag.

INFO DNS resolution files accessed suggesting network preparation -5

System files /etc/nsswitch.conf, /etc/hosts, /etc/host.conf, and /etc/gai.conf were read, which are typically accessed when preparing for network connections. No actual network connections were detected, but this indicates network-capable code paths were executed.