Is token-saver safe?

https://clawhub.ai/RubenAQuispe/token-saver

30
DANGEROUS

The 'token-saver' skill is a near-empty package (single lock.json referencing a different skill name) that reads sensitive credential files (.env, .aws/credentials, auth-profiles.json) during installation while providing zero actual functionality. The skill name mismatch with its internal lock.json ('academic-research-hub'), combined with credential harvesting behavior and extensive runtime code execution, strongly suggests this is a malicious or deceptive package designed to harvest secrets under the guise of token management.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 15/100 · 10%
Canary Integrity 5/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (11)

CRITICAL Reads .env honeypot file during install -45

The skill install process opened and read /home/oc-exec/.env which is a canary honeypot file. No legitimate skill should access user environment files during installation, especially one that contains no declared functionality.

CRITICAL Reads AWS credentials honeypot during install -45

The skill install process opened and read /home/oc-exec/.aws/credentials which is a canary file containing fake AWS access keys. This is a strong indicator of credential harvesting behavior.

CRITICAL Canary files read despite integrity check passing -95

The canary integrity check reports all files intact, but filesystem event monitoring proves .env and .aws/credentials were opened and read. The integrity check only verifies file content wasn't modified — it does not detect read-based exfiltration. This is a false negative in the canary system.

HIGH Reads authentication profiles -5

The install process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json which may contain authentication tokens or OAuth credentials for connected services.

HIGH Extensive runtime code transpilation during install -40

Installing this skill triggered jiti to transpile 10+ JavaScript modules in /tmp/jiti/ including plugin-sdk, http-registry, runtime modules, and config schemas. This is disproportionate for a skill containing only a single lock.json file and suggests hidden code execution.

HIGH Skill identity mismatch — lock.json references different skill -50

The skill is named 'token-saver' but its only file (.clawhub/lock.json) references 'academic-research-hub' v0.1.0. This identity mismatch suggests the skill was renamed or repackaged, potentially to disguise its true purpose.

HIGH Gateway lock file created during install -35

A gateway lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during installation, suggesting a network gateway or proxy process was initialized. Combined with credential reads, this could facilitate data exfiltration.

HIGH Social engineering via skill name -90

A skill named 'token-saver' that reads credential files during install is a textbook social engineering pattern. The name implies benign token management, reducing user suspicion about credential access. The skill delivers zero actual functionality (empty SKILL.md, no source code).

MEDIUM Empty SKILL.md — no declared functionality -50

The skill has an empty SKILL.md which means it provides no prompt instructions to the agent. While this means no direct prompt injection, it also means the skill has no legitimate purpose — it exists solely for its install-time side effects.

MEDIUM System file enumeration during install -30

The install process read /etc/passwd, /etc/group, /etc/machine-id and other system files, which could be used for system fingerprinting or user enumeration.

LOW Repeated reads of platform config and shell files -5

The skill read .openclaw/openclaw.json 6+ times and .profile/.bashrc 4+ times each during install. While some of these may be normal platform behavior, the frequency is unusual.