Is moltbot-best-practices safe?
https://clawhub.ai/NextFrontierBuilds/moltbot-best-practices
This skill is a comprehensive GCP CLI reference/cheatsheet that contains no direct prompt injection or malicious code, but presents significant risk as a capability amplifier. It normalizes dangerous operations including secret access, destructive resource deletion, public bucket exposure, and remote code execution (gcloud SDK installation). The slug mismatch between the audit target and installed content is suspicious. Filesystem monitoring shows .env and AWS credential access during installation, though this is likely host agent behavior.
Category Scores
Findings (12)
MEDIUM Remote installer download via curl -15 ▶
The skill instructs the agent to download the gcloud SDK via curl from dl.google.com and execute the installer script with --quiet flag, suppressing interactive prompts. While the URL is legitimate Google infrastructure, this normalizes the pattern of downloading and executing remote code.
MEDIUM Global npm package installation -10 ▶
The skill instructs npm install -g firebase-tools, which installs a package globally with whatever permissions the agent's shell has. Global installs can modify system-wide binaries.
MEDIUM PATH modification via .bashrc -10 ▶
The gcloud installer modifies .bashrc to add itself to PATH (--path-update true), which persists beyond the skill's scope and affects all future shell sessions.
HIGH Secret Manager access commands normalize credential reading -20 ▶
The skill documents commands to read secrets from GCP Secret Manager (gcloud secrets versions access latest), which an agent could execute if a user's request is ambiguous. This normalizes reading sensitive credentials as a routine operation.
MEDIUM IAM policy enumeration commands -10 ▶
The skill includes commands to enumerate IAM roles and permissions, which is useful for privilege escalation reconnaissance.
MEDIUM Filesystem monitoring shows .env and AWS credentials access during install -10 ▶
During the install phase, the monitoring detected ACCESS events on /home/oc-exec/.env and /home/oc-exec/.aws/credentials. While likely attributable to the host agent runtime rather than the skill, this access occurred during skill installation.
MEDIUM Destructive commands without safety guardrails -25 ▶
The skill includes irreversible destructive commands (secret version destroy, image delete, database operations) presented as routine operations without warnings. An agent following these instructions has no built-in confirmation step.
MEDIUM Public access command could expose private data -20 ▶
The skill includes a command to make a Cloud Storage bucket publicly accessible to all users, which could expose sensitive data if an agent executes it without proper context.
LOW Broad scope claim in skill description -5 ▶
The skill description claims broad scope over GCP resources including deployment, monitoring, logs, and SSH access. While not injection per se, this gives the skill legitimate context to execute a very wide range of infrastructure operations.
INFO Skill slug mismatch with actual skill content -10 ▶
The audit target slug is 'moltbot-best-practices' but the installed skill is a GCP/gcloud reference skill with slug 'gcloud'. The lock.json references 'academic-research-hub'. This naming mismatch is unusual but may be a packaging/registry issue rather than malicious intent.
INFO Temp file creation in /tmp/jiti and /tmp/openclaw-1000 -5 ▶
Multiple temporary files were created during installation in /tmp/jiti/ (JIT compilation cache) and /tmp/openclaw-1000/ (gateway lock). These appear to be standard runtime artifacts from the host agent platform.
LOW Auth profile and config file reads during install -10 ▶
Multiple reads of openclaw.json, auth-profiles.json, .profile, and .bashrc during the install phase. Likely host agent runtime behavior but represents sensitive config file access.