Is abyousef739/clawcache-free safe?

https://github.com/openclaw/skills/tree/main/skills/abyousef739/clawcache-free

88
SAFE

ClawCache Free is a documentation-only skill with no executable code, no prompt injection, and clean clone behavior — the skill repository itself poses minimal direct risk. The primary concern is indirect: the tool it promotes is a pip package that by design intercepts LLM API calls, which if malicious could harvest all agent prompt/response data; this pip package was not audited. The reference to an unknown 'Molbook' social platform and the skill's very recent publication date by an unestablished author warrant caution.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

MEDIUM Unaudited pip dependency with LLM API interception design -10

The skill promotes pip install clawcache, a Python library whose actual source code is not included in the skill repository and was not audited. By design, clawcache wraps LLM API calls to track costs and cache responses. If the pip package contains malicious logic, it would have access to all prompts and responses flowing through the LLM API, creating an ideal exfiltration vector that would be invisible to users.

MEDIUM Unknown 'Molbook' social platform referenced for data sharing -18

The Pro version feature list mentions sharing LLM cost savings on 'Twitter, LinkedIn, Molbook with auto-generated charts.' Molbook is not a recognized social network. This could be an attacker-controlled endpoint designed to receive usage data or serve as a tracking pixel disguised as a social share feature.

LOW External domain links with no established reputation -7

The skill references clawcache.com, docs.clawcache.com, and github.com/AbYousef739/-clawcache-free. These are not widely-known domains and carry no trust reputation. While not prompt injection per se, they could be used for tracking or phishing if an agent were to fetch them.

LOW No in-repo code but references external pip package -10

The skill itself contains no executable code, which is good. However, the primary call-to-action is pip install clawcache, which would execute arbitrary Python install scripts (setup.py, pyproject.toml post-install hooks) not visible in this audit.

LOW Very new skill with no track record -10

ClawCache Free v0.2.0 was published 8 days before this audit (2026-02-14). The author has no verifiable history in the OpenClaw skill registry. New skills from unknown authors carry elevated supply-chain risk.

INFO Canary file accesses confirmed as audit-system reads, not skill-triggered 0

Sensitive file accesses observed at timestamps 1771734749 (pre-clone) and 1771734766 (post-install) are attributable to the audit monitoring system establishing baseline and post-install canary state, not to the skill. The git clone did not begin until timestamp 1771734755. All canary files remained unmodified.