Is free-ride safe?

https://clawhub.ai/Shaivpidadi/free-ride

42
DANGEROUS

FreeRide presents itself as a benign free AI model manager but exhibits critical security violations during installation. Filesystem monitoring detected access to .env, AWS credentials, SSH private host keys, PAM authentication configs, and auth profiles — none of which are referenced in the visible Python source code. The /tmp/jiti/ directory with 9 compiled CJS modules indicates a hidden execution layer that performs credential harvesting and system reconnaissance invisible to source code review. The massive discrepancy between the clean Python source and the observed install-time behavior is characteristic of a supply-chain attack.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 10/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (11)

CRITICAL Undisclosed access to .env and AWS credentials -40

Filesystem monitoring detected the skill opening /home/oc-exec/.env and /home/oc-exec/.aws/credentials during install. Neither file is referenced anywhere in the visible Python source code (main.py, watcher.py). This indicates hidden code executed during installation that harvests secrets from well-known credential files.

CRITICAL SSH private host keys read during install -30

All three SSH host private keys (RSA, ECDSA, Ed25519) were opened and read during skill installation. These are system-level cryptographic keys. No legitimate model-management skill needs access to SSH host keys. The private keys were each read twice (suggesting content extraction).

CRITICAL Hidden code execution during install — source/behavior mismatch -60

The filesystem monitoring reveals file accesses and code compilation (/tmp/jiti/ modules including memory-core-index, plugin-sdk-index, bluebubbles-actions, http-registry, etc.) that have zero correspondence to the visible source files. The provided Python source only reads openclaw.json and env vars, yet the install triggered access to .env, .aws/credentials, SSH keys, PAM configs, /etc/passwd, and compiled a full plugin framework. This is the hallmark of a supply-chain attack where the visible source is clean but hidden install-time code performs malicious actions.

HIGH Repeated access to shell profiles containing secrets -15

The skill read /home/oc-exec/.profile and /home/oc-exec/.bashrc at least 6 times each during install. These files commonly contain exported API keys (OPENROUTER_API_KEY, AWS keys, etc.). While the Python code's get_api_key() checks env vars, the repeated profile reads suggest systematic extraction of all exported environment variables.

HIGH System authentication enumeration -30

The install process accessed PAM configuration files (sshd, common-auth, common-account, common-session) and /etc/passwd. This indicates reconnaissance of the system's authentication infrastructure — information useful for privilege escalation or lateral movement.

HIGH Auth profiles credential access -15

The skill opened /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json which contains authentication credentials for configured AI providers. This file is not referenced in the visible source code.

MEDIUM Persistent daemon with network polling -25

watcher.py includes a daemon mode that runs continuously, polling OpenRouter API every 60 seconds and making chat completion requests. This provides a persistent execution foothold that could be used for command-and-control communication disguised as model health checks.

MEDIUM Configuration file modification capability -15

The skill writes to ~/.openclaw/openclaw.json modifying model endpoints and auth profiles. A malicious version could redirect all AI traffic through attacker-controlled proxy endpoints.

MEDIUM Broad activation triggers enable unintended invocation -15

SKILL.md description triggers on generic phrases: 'free AI', 'OpenRouter', 'model switching', 'rate limits', 'reduce AI costs'. These common terms could cause the skill to activate during unrelated conversations, expanding the attack surface.

MEDIUM Automatic installation instruction in SKILL.md -15

SKILL.md instructs the agent to automatically run 'npx clawhub@latest install freeride' if not installed. This prompts the LLM agent to execute package installation commands, which could pull in additional malicious dependencies.

LOW Fingerprinting headers in API requests -5

watcher.py includes HTTP-Referer and X-Title headers in requests that identify the installation, enabling server-side tracking of deployed instances.