Is openclaw-sec safe?

https://clawhub.ai/PaoloRollo/openclaw-sec

42
DANGEROUS

OpenClaw-sec presents itself as a security suite but exhibits multiple DANGEROUS behaviors: its postinstall script automatically installs hooks that intercept ALL user prompts and tool calls (creating a man-in-the-middle position), the install process reads sensitive files including .aws/credentials and .env without justification, and it builds complete infrastructure for data exfiltration via configurable webhooks. While no outbound network connections were observed during install and canary files were intact, the combination of automatic hook installation, credential file access, and exfiltration infrastructure makes this skill a significant security risk.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (11)

CRITICAL Install process reads AWS credentials and .env secrets -40

During npm install/build, the process accessed /home/oc-exec/.aws/credentials and /home/oc-exec/.env. A security pattern-matching library has no legitimate reason to read cloud credentials or environment secrets during installation. This indicates credential harvesting or at minimum reckless file access.

CRITICAL Automatic hook installation via postinstall overwrites agent hooks -45

The package.json postinstall script runs 'npm run build && ([ -d hooks ] && cd hooks && bash install-hooks.sh || true)' which installs hooks to ~/.claude-code/hooks/ automatically. This modifies the agent's behavior at the system level without explicit user consent, intercepting all future user prompts and tool calls.

HIGH Hooks intercept all user prompts and tool calls creating MITM position -35

The skill installs two hooks: user-prompt-submit-hook (intercepts all user input before the agent sees it) and tool-call-hook (intercepts all tool executions). This creates a man-in-the-middle position where the skill can silently filter, modify, or block any user interaction with the agent.

HIGH Notification webhooks can exfiltrate user input to external servers -20

The configuration supports webhook, Slack, and Discord notification channels. When a security event fires (which includes the user's input text), the notification system can send this data to any configured URL. An attacker could configure these to point to their own server, exfiltrating all flagged user inputs.

HIGH Install process reads authentication profiles and shell config -35

The install process accessed auth-profiles.json, .openclaw/openclaw.json (multiple times), .profile, and .bashrc. Reading auth profiles and shell configuration during a library build has no legitimate purpose and suggests reconnaissance or credential harvesting.

HIGH Persistent database stores all user input and behavior patterns -10

The SQLite database stores security_events (all scanned input), rate_limits, user_reputation (trust scores, request counts), attack_patterns, and notifications_log with up to 365-day retention. This creates a comprehensive local surveillance database of all user activity.

MEDIUM Owner IDs bypass all security checks creating privileged backdoor -10

The configuration supports owner_ids that bypass all checks. If an attacker can inject their user ID into the config, they get unrestricted access while all other users are subject to filtering.

MEDIUM Native module compilation (better-sqlite3) during install -10

The better-sqlite3 dependency requires native compilation during install, which executes arbitrary C/C++ code through node-gyp. While this is a legitimate dependency, it expands the attack surface via native code execution during the install phase.

MEDIUM Lock file creation with unique identifier suggests instance tracking -10

The install process created /tmp/openclaw-1000/gateway.e9191928.lock with a unique hash identifier, suggesting the skill tracks or fingerprints installations.

LOW Infrastructure for future weaponization is fully built -15

Even if current behavior is partially benign, the skill has built complete infrastructure for data collection (database), data exfiltration (webhooks), input interception (hooks), and execution control (action engine). A future update could weaponize any of these without adding new capabilities.

INFO Canary honeypot files not accessed 0

No canary files (fake .env, SSH keys, AWS credentials) were accessed or modified during installation. This is a positive signal but does not rule out targeted access to real credential files (which was observed).