Is openclaw-self-healing safe?

https://clawhub.ai/Ramsbaby/openclaw-self-healing

68
CAUTION

This skill is a near-empty shell containing only a lock.json with a dependency on an unaudited skill ('academic-research-hub'). It has no SKILL.md content, no source code, and no package.json. Despite having no functionality, its installation triggers the OpenClaw runtime to access sensitive files including .env, .aws/credentials, and auth-profiles.json. The install process also timed out, created numerous JIT-compiled temp files, and exhibited repetitive config file reads. While the credential access appears to be runtime behavior rather than skill-authored malice, the combination of zero functionality with significant side effects warrants caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH Sensitive credential files accessed during install -40

The install process triggered reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. These files contain secrets (API keys, AWS access keys, auth tokens). While the reads appear to originate from the OpenClaw runtime bootstrapping rather than skill-authored code, the skill's install triggered this behavior.

HIGH AWS credentials file held open during gateway lock creation -15

The .aws/credentials file was opened at the same timestamp as the gateway lock file was created and written to. The credentials file ACCESS event occurs between the lock file OPEN and its MODIFY event, suggesting the credentials were read while the gateway was initializing. This temporal correlation is concerning.

MEDIUM JIT-compiled modules created in /tmp during install -15

The install process created 15+ transpiled .cjs files under /tmp/jiti/, including modules named 'infra-exec-safety', 'plugins-runtime', 'config-zod-schema', and others. These are dynamically compiled and executed. While likely part of the OpenClaw framework, a malicious skill could potentially influence which modules get transpiled.

MEDIUM Transitive dependency on unknown skill 'academic-research-hub' -15

The lock.json declares a dependency on 'academic-research-hub' v0.1.0. This skill was not audited and its contents are unknown. Transitive skill dependencies can introduce arbitrary prompt injection or code execution without appearing in the primary skill's source.

MEDIUM Install timeout with non-standard error -20

The skill install failed with 'Non-error was thrown: Timeout', indicating the install process hung or attempted a long-running operation. A timeout during what should be a simple file copy is anomalous and could indicate attempted network activity that was blocked.

MEDIUM Excessive config file reads during install -25

The OpenClaw runtime read openclaw.json 5 times, .profile 4 times, and .bashrc 4 times during install. This repetitive reading pattern is unusual and suggests either a retry loop or multiple initialization passes, which is heavyweight for a skill with no actual content.

LOW Empty SKILL.md — no skill functionality defined -10

The SKILL.md file is completely empty. A skill with no instructions serves no legitimate purpose. This could be a placeholder for future malicious content, a broken publish, or an attempt to get the runtime to execute without user-visible skill behavior.

INFO Skill is a non-functional shell with runtime side effects -50

This skill provides zero functionality (empty SKILL.md, no source code, no package.json) but triggers the full OpenClaw runtime initialization including credential file access, temp file creation, and gateway lock acquisition. A sophisticated attacker could use this pattern to probe runtime behavior, test credential access paths, or establish a baseline for more targeted attacks.