Is adversa-ai/secureclaw-skill safe?

install.sh appends SecureClaw-authored directives into SOUL.md, AGENTS.md, and TOOLS.md. quick-harden.sh also appends privacy and injection-awareness sections to SOUL.md. These are the agent's core cognitive/identity files. Modification of these files at install time means SecureClaw embeds persistent behavioral instructions into the agent's memory that survive skill removal unless manually cleaned.

The skill requires execution of 9 bash scripts (quick-audit.sh, quick-harden.sh, check-integrity.sh, check-privacy.sh, scan-skills.sh, check-advisories.sh, emergency-response.sh, install.sh, uninstall.sh) running directly on the host with full user permissions. Scripts perform chmod operations, in-place sed modifications of JSON configs, rm -rf on backup directories, lsof port scanning, find traversals, and shasum operations across the user's home directory.

check-advisories.sh makes an outbound HTTP GET request to https://adversa-ai.github.io/secureclaw-advisories/feed.json every time it is invoked (Rule 6 mandates daily invocation). This reveals to Adversa AI that the skill is installed, the agent's public IP, and execution timing. While the current feed URL points to a GitHub Pages endpoint, the URL is substitutable via environment variable.

Rule 14 instructs the agent to permanently halt all tool calls, commands, and messages if ~/.openclaw/.secureclaw/killswitch exists. This file can be created by any process running as the same user — including a compromised skill, a successful prompt injection, or an attacker with local access. An adversary who triggers this condition freezes the agent with no recovery mechanism other than manual file deletion.

scan-skills.sh skips its own directory when scanning installed skills for malicious patterns. This means SecureClaw's own configs (which contain the very injection patterns and IOC signatures it warns about) are never scanned, and any future malicious content inserted into SecureClaw by a supply chain compromise would go undetected by the scanner.

The SECURECLAW_FEED_URL environment variable completely overrides the advisory feed destination. If an attacker can set this variable (via a compromised .env file, another skill, or a prompt injection that sets env vars), they control what advisory content the agent receives and parses via Python's json.loads(). This is an indirect code/data injection path.

Rules 6 and 7 instruct the agent to autonomously run quick-audit.sh daily and check-integrity.sh every 12 hours without explicit user request. This establishes persistent scheduled behavior where the agent self-initiates privileged script execution on a recurring basis, expanding the attack surface for any vulnerability in those scripts.

The skill is installed by sparse-checking out from the openclaw/skills GitHub monorepo. Updates re-run the installer from the same source. A compromise of the adversa-ai/secureclaw-skill subdirectory or the openclaw/skills repository would push malicious script or config content to all agents with this skill installed on next update. No cryptographic verification of downloaded content against checksums.json is performed by the installer.

quick-harden.sh uses chmod to change directory and file permissions (700, 600), uses sed with in-place editing on openclaw.json with a backup-then-verify pattern, and uses rm -rf to remove backup directories. While these operations are intended for hardening, they operate on live configuration files and could cause data loss or lock out the agent if they fail mid-execution on unusual filesystem layouts.

install.sh writes SecureClaw-authored content into TOOLS.md and AGENTS.md (marking SecureClaw as 'ALWAYS ACTIVE'). This is the same type of operation the skill's own injection-patterns.json classifies under 'config_tampering' (patterns: 'modify your tools', 'modify your identity'). A user reviewing their AGENTS.md after install would find content they did not explicitly author, which could be confused with a legitimate injection.

SKILL.md uses an HTML comment block to embed framework mapping metadata. While the content is benign, HTML comments are listed in SecureClaw's own structural_hiding patterns (injection-patterns.json) as a technique used to conceal instructions from human reviewers. The use here is informational, but establishes a precedent for hidden structured content in the skill file.

quick-audit.sh runs grep -rl with API key patterns (sk-ant-, AKIA, ghp_, etc.) across the entire $OPENCLAW_DIR tree. While intended to detect leaked credentials, the scan reads all files including potentially sensitive ones. The results are printed to stdout, which an attacker with output visibility could use to confirm credential file locations.

Installation performs a sparse git clone from github.com (140.82.121.3:443). This is the documented and expected install mechanism. No connections to unexpected IPs were observed. The ClawHavoc C2 server (91.92.242.30) listed in supply-chain-ioc.json was not contacted.