Is aliahmadaziz/openclaw-setup-guide safe?
https://github.com/openclaw/skills/tree/main/skills/aliahmadaziz/openclaw-setup-guide
The openclaw-setup-guide skill is a clean, instruction-only markdown document with zero executable code, no prompt injection in its own content, a minimal two-file footprint, and passed all behavioral monitoring checks during installation — no unexpected processes, network connections, or filesystem modifications attributable to the skill. The primary risk is architectural rather than malicious: the skill's entire substantive function is directing agents to an external, unaudited guide URL that constitutes the real execution surface and can be updated at any time after this audit. The guide handles sensitive production infrastructure credentials, meaning a compromised or updated guide URL would represent high-impact risk in agentic deployments with web fetch capabilities.
Category Scores
Findings (5)
MEDIUM Unaudited External Guide URL Is the Skill's Real Execution Surface -28 ▶
The skill's sole substantive function is directing agents to an external GitHub Pages URL (aliahmadaziz.github.io/openclaw-guide). This URL is controlled by the skill author and can be modified at any time after this audit without triggering re-review. The guide provides step-by-step instructions with copy-pasteable shell commands for VPS configuration, OAuth token setup, SSH hardening, Cloudflare tunnel deployment, and 35+ cron jobs. An agent with fetch/browse capabilities following this skill would effectively receive and potentially execute instructions from an unvetted external resource, making the external site the true attack surface rather than the audited SKILL.md.
LOW Canary Files Read During Audit Window -18 ▶
Six honeypot credential files were opened and read (CLOSE_NOWRITE) at two points during the audit: at 13:25:40 (before git clone which begins at 13:25:46) and at 13:25:57 (post-install scan phase). Cross-referencing EXECVE logs and process timing confirms the reads are attributable to the audit framework's own pre/post baseline scanning, not to any skill-originated process. Canary integrity check confirms no modifications. No outbound network traffic carries file contents. Documented for transparency.
LOW External URL Creates Post-Audit Prompt Injection Surface -15 ▶
When an agent fetches the external guide URL as part of executing this skill's instructions, the guide's content enters the agent's context as trusted instructions. The URL is hosted on GitHub Pages from a repository (aliahmadaziz/openclaw-guide) owned by the skill author. If that repository is compromised, taken over, or intentionally updated maliciously, it could inject arbitrary instructions into an agent's execution — for example, instructions to exfiltrate credentials collected during the infrastructure setup process the guide describes. This is a living-document injection risk.
INFO External Guide Contains Executable Shell Commands Across 6 Infrastructure Parts -4 ▶
While SKILL.md itself contains no executable code, the guide it references explicitly provides copy-pasteable commands for VPS setup, Node.js installation, OAuth token configuration, Cloudflare tunnel deployment, rclone encrypted backup configuration, CrowdSec IDS setup, and cron automation. The guide claims to represent a production deployment running 35+ cron jobs and 60+ scripts. An agent with shell access following this skill could execute these commands as directed by the unaudited external resource without this audit having reviewed them.
INFO Skill References Second External Repository Not Included in Audit Scope -8 ▶
The SKILL.md references a source repository (github.com/aliahmadaziz/openclaw-guide) distinct from the audited openclaw/skills monorepo. The guide's GitHub Pages deployment originates from this repository. This repository was not cloned, scanned, or analyzed as part of this audit. Any code, scripts, or content in that repository are outside the audit boundary.