Is openclaw-robotics safe?

https://clawhub.ai/Qinrui-dm/openclaw-robotics

68
CAUTION

This robotics control skill is largely benign in its current form — all robot and IM adapter methods are stubs, the SKILL.md contains no prompt injection, no outbound network traffic was detected, and canary files were not touched. However, the install process triggered reads of sensitive files (.env, .aws/credentials, auth-profiles.json) likely from the OpenClaw platform gateway, and the skill's architecture (IM adapters accepting secrets, physical robot control, global singleton state) creates significant future risk if a malicious version update replaces the stubs with real implementations.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Sensitive file reads during install -30

During skill installation, the monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. While these reads appear to originate from the OpenClaw platform gateway (not the skill code itself), the .aws/credentials read is particularly concerning as it was opened, accessed, and closed — indicating the file contents were read into memory.

MEDIUM IM adapters as potential exfiltration channels -20

The four IM adapters (WeCom, Feishu, DingTalk, WhatsApp) accept secret credentials via config dicts and have send_message methods. Currently these are stubs, but a future version update could weaponize them to exfiltrate data through messaging platforms, bypassing traditional network monitoring that looks for direct HTTP exfiltration.

MEDIUM Physical robot control via LLM agent -15

This skill gives an LLM agent the ability to issue physical movement commands to robots (move, turn, navigate). While currently stubs, when connected to real robot SDKs this introduces physical safety risks. An agent could be prompt-injected into issuing dangerous movement commands.

MEDIUM Gateway process reads auth-profiles during install -20

The OpenClaw gateway process accessed auth-profiles.json and multiple config files during skill installation. While this may be standard platform behavior, it represents a trust boundary concern — the skill installation triggered reads of sensitive authentication configuration.

LOW Stub implementations mask future risk -15

All robot and IM adapter methods are stubs (return True / hardcoded results). This means the current version is safe but provides zero assurance about future versions. The architecture is designed for real robot SDK and IM API integration — a version update could introduce arbitrary code execution via these interfaces.

LOW Global mutable singleton pattern -5

The skill uses a module-level global singleton (_skill = RoboticsSkill()) that persists robot connections, IM credentials, and SLAM state across calls. This could lead to credential leakage between different user sessions if the skill is loaded in a shared environment.

INFO HTML meta tags in README.md -5

The README contains HTML meta tags for SEO (og:title, og:description, meta description). These are inert in the context of LLM prompt injection but are unusual for a skill repo and suggest the repo is optimized for search engine visibility.

INFO Missing type import in skill.py -5

skill.py references Tuple in the navigate method signature but doesn't import it from typing, which would cause a NameError at runtime. This is a bug, not a security issue, but indicates the code was not tested.