Is xiaoai-bridge safe?

https://clawhub.ai/Warm-winter/xiaoai-bridge

28
DANGEROUS

This skill presents as an empty shell with no SKILL.md, no source code, and no package.json, yet during installation it accessed critical credential files (.env, .aws/credentials, auth-profiles.json), generated and executed 11 compiled JavaScript modules from /tmp/jiti/, and created a gateway lock file. The lock.json references an unrelated dependency ('academic-research-hub') inside a skill named 'xiaoai-bridge', suggesting it is a trojan or supply-chain attack vector. While no outbound network connections were observed (possibly due to the rate limit failure or firewall restrictions), the credential access pattern strongly indicates a harvesting operation.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 15/100 · 20%
Clone Behavior 15/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (11)

CRITICAL AWS credentials file accessed during installation -40

The installation process opened and read /home/oc-exec/.aws/credentials. A skill named 'xiaoai-bridge' has no legitimate reason to access AWS credentials during installation. This is a strong indicator of credential harvesting.

CRITICAL Environment file (.env) accessed during installation -35

The installation process read /home/oc-exec/.env which typically contains API keys, database passwords, and other secrets. No skill installation should need to read the user's .env file.

CRITICAL Agent auth profiles accessed during installation -20

The installation process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, which contains authentication tokens and profiles for the agent platform. This could allow impersonation or unauthorized API access.

CRITICAL Dynamic code generation and execution in /tmp during install -55

The installation process created and executed 11 compiled JavaScript modules in /tmp/jiti/ including 'memory-core-index', 'plugin-sdk-index', 'plugins-runtime', 'channels-registry', and others. Code executed from temp directories via jiti transpilation is invisible to static analysis and cannot be reviewed before execution.

HIGH Gateway lock file created suggesting background process -30

A lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during installation, suggesting the skill attempted to spawn or communicate with a gateway process. Lock files are used for inter-process coordination.

HIGH Empty SKILL.md with mismatched dependency name -50

The skill has no SKILL.md content (empty) and no source code, yet its lock.json references a dependency called 'academic-research-hub' — completely unrelated to the skill's declared purpose as 'xiaoai-bridge'. This name mismatch suggests the skill is a shell or trojan wrapping a different payload.

HIGH Filesystem activity outside skill directory -55

The installation created directories and files in /tmp/ and read multiple files in /home/oc-exec/ and /etc/. A skill installation should be confined to its own directory.

MEDIUM Machine fingerprinting via /etc/machine-id -30

The installation process read /etc/machine-id, which provides a unique identifier for the machine. This is commonly used for fingerprinting and tracking.

MEDIUM Repeated access to shell configuration files -5

The installation process read .profile and .bashrc four times each. These files may contain exported environment variables with secrets, PATH modifications, or aliases that reveal system configuration.

INFO Canary files not modified 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained intact. The skill did not attempt to modify these decoy files.

LOW Installation failed with rate limit but still executed code -5

The install output shows 'Rate limit exceeded' error, yet substantial filesystem activity occurred before the failure. This means the skill's code executed significant operations even during a 'failed' install.