Is skills-search safe?

https://clawhub.ai/TheSethRose/skills-search

62
CAUTION

This skill repository contains virtually no content — just a .clawhub/lock.json referencing a differently-named skill ('academic-research-hub' vs 'skills-search'). Despite being empty, its installation triggered the OpenClaw runtime which accessed sensitive files including .env, .aws/credentials, and auth-profiles.json. No network exfiltration was detected, but the combination of an empty skill that triggers credential file reads, a mismatched skill name in the lock file, and extensive /tmp file creation raises significant concerns about the installation pipeline's behavior when processing this repo.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 40/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Sensitive file access during installation -40

The installation process triggered reads of .env and .aws/credentials. While this appears to be OpenClaw runtime initialization rather than skill-authored behavior, the skill's installation caused credential files to be accessed. The .aws/credentials file was opened and read (OPEN, ACCESS, CLOSE_NOWRITE sequence observed).

HIGH Auth profiles accessed during installation -25

The OpenClaw agent auth-profiles.json was read during skill installation. This file likely contains authentication tokens or credentials for configured services.

MEDIUM Extensive /tmp file creation during installation -30

Installing this skill triggered creation of 25+ compiled JavaScript modules in /tmp/jiti/ and a gateway lock file in /tmp/openclaw-1000/. This is a large filesystem footprint for a skill containing only a single lock.json file.

MEDIUM Skill name mismatch in lock.json -30

The repository is named 'skills-search' but the lock.json references 'academic-research-hub' as the installed skill. This inconsistency suggests the repo may be misconfigured, repurposed, or intentionally misleading about its contents.

MEDIUM Empty skill with no functional content -25

The skill contains no SKILL.md, no source code, no package.json — only a .clawhub/lock.json. This means the skill provides zero functionality to the agent but still triggers the full OpenClaw runtime initialization with its associated credential reads.

MEDIUM Multiple reads of shell profile files -30

The installation process read .profile and .bashrc multiple times (5+ reads each), which could be used to enumerate environment variables, PATH configurations, and shell aliases. While likely runtime behavior, repeated reads are unusual.

LOW JIT compilation triggered during install -30

The jiti (Just-In-Time compilation) framework compiled TypeScript modules to CJS during installation. While this is part of the OpenClaw runtime, it means arbitrary TypeScript code was compiled and potentially executed as part of installing this empty skill.

INFO No SKILL.md content to evaluate -15

SKILL.md is empty, so there are no prompt injection vectors in the skill definition itself. However, this also means the skill provides no documented purpose or instructions.

INFO Canary files intact 0

All honeypot files remained unmodified, indicating no direct attempt to access or exfiltrate canary credentials.