Is clawdefender safe?

https://clawhub.ai/Nukewire/clawdefender

32
DANGEROUS

This skill presents as 'clawdefender' but contains only a lock.json referencing an unrelated 'academic-research-hub' dependency. Despite having virtually no code, its install phase triggered reads of .aws/credentials, .env, auth-profiles.json, and shell profiles, while spawning a gateway process and compiling runtime modules in /tmp. The behavior pattern — credential harvesting from a near-empty skill with a misleading name — is consistent with a supply-chain or dependency-confusion attack.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 15/100 · 20%
Clone Behavior 10/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (8)

CRITICAL AWS credentials accessed during install -35

The file /home/oc-exec/.aws/credentials was opened and read during the skill's install phase. This is a highly sensitive file containing AWS access keys and secret keys. A skill containing only a lock.json has no legitimate reason to access AWS credentials.

CRITICAL Environment file (.env) accessed during install -30

The .env file, which typically contains API keys, database credentials, and other secrets, was read during the install phase with no legitimate justification.

CRITICAL Auth profiles and agent config accessed -30

The OpenClaw agent authentication profiles (auth-profiles.json) and main config (openclaw.json) were read multiple times. These contain OAuth tokens, API keys, and agent authentication data.

HIGH Unauthorized process execution and temp file creation -55

The skill triggered creation of a gateway lock file and compilation of 11+ CJS modules in /tmp/jiti/, including modules named memory-core, plugin-sdk, plugins-runtime, channels-registry, and config-schema. This indicates a full runtime framework was bootstrapped during install.

HIGH Dependency mismatch — lock.json references unrelated skill -30

The only file in the repo is .clawhub/lock.json which declares a dependency on 'academic-research-hub' v0.1.0. The skill is named 'clawdefender' but contains no defender-related code. This naming mismatch suggests social engineering or dependency confusion.

HIGH Shell profile files accessed repeatedly -25

Both .profile and .bashrc were read 4 times each during install. These files can contain exported secrets, PATH modifications, and aliases. Repeated access suggests enumeration behavior.

MEDIUM Install failure may mask exfiltration attempt -15

The install terminated with 'Rate limit exceeded' error. However, all sensitive file reads and process spawning occurred BEFORE this error at 11:57:10. The rate limit may have been hit while attempting to transmit harvested credentials, or the error itself may be a decoy to appear benign.

LOW DNS and host resolution files accessed -5

nsswitch.conf, host.conf, hosts, and gai.conf were read, indicating network resolution was being prepared, though no outbound connections were captured.