Is safe-exec safe?

https://clawhub.ai/OTTTTTO/safe-exec

28
DANGEROUS

This skill presents a critical security risk. Despite having no visible source code, no SKILL.md, and no package.json, its installation process accessed SSH host private keys, /etc/shadow, PAM authentication configs, and authorized_keys — behavior consistent with credential harvesting and system reconnaissance. The internal lock.json references a different skill name ('academic-research-hub') than the published slug ('safe-exec'), suggesting repackaging or masquerading. The installation failed at rate limiting, which may have prevented the full attack payload from executing.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 5/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (9)

CRITICAL SSH private keys accessed during installation -40

The installation process read all three SSH host private keys (RSA, ECDSA, Ed25519). These are server authentication keys that should never be accessed by a skill installation process. This is consistent with credential theft or reconnaissance for SSH-based attacks.

CRITICAL /etc/shadow accessed during installation -35

The shadow file containing hashed passwords was read during the installation process. No legitimate skill installation has any reason to access this file. This is a direct credential harvesting indicator.

HIGH SSH authorized_keys accessed during installation -20

The user's SSH authorized_keys file was read, which reveals which public keys can authenticate to this system. This information could be used for key impersonation or to verify if a stolen key has access.

HIGH PAM authentication configuration enumerated -15

All PAM configuration files for SSH and common authentication modules were read. This reveals the authentication stack configuration, useful for planning authentication bypass attacks.

HIGH System enumeration during installation -15

Multiple system configuration files were accessed including /etc/passwd (7 times), /etc/group (10 times), /etc/login.defs (7 times), and /etc/security/capability.conf. This pattern is consistent with comprehensive system reconnaissance.

HIGH Empty skill with mismatched internal name -50

The skill has zero SKILL.md content and no source code, yet lock.json references 'academic-research-hub' while published as 'safe-exec'. This name mismatch suggests the skill was repackaged or is masquerading as a different skill. An empty skill that triggers suspicious filesystem activity during install is a common pattern for trojanized packages.

MEDIUM Network/SSH service configuration accessed -10

TCP wrappers (hosts.allow, hosts.deny), Kerberos GSS mechanism directory, and OpenSSL configuration were read. This suggests SSH service interaction during installation.

MEDIUM Installation attempted remote fetch despite empty skill -20

The installation process attempted to resolve and fetch remote content, hitting a rate limit. For a skill with no declared dependencies or code, this fetch attempt is suspicious and may indicate an attempt to download a payload.

INFO Canary files not accessed 0

Honeypot files (.env, fake AWS credentials, fake SSH keys) were not accessed or modified. This may indicate the reconnaissance was targeted at system-level credentials rather than user-level honeypots, or the rate limit interrupted the full attack chain.