Is amar1432/error-guard safe?

https://github.com/openclaw/skills/tree/main/skills/amar1432/error-guard

82
SAFE

error-guard is a legitimate control-plane skill for managing long-running tasks in OpenClaw environments. It contains no prompt injection, data exfiltration, or malicious clone behavior, and all canary files remained intact. However, it exposes powerful capabilities — unrestricted process killing, arbitrary sub-agent spawning, and cross-session messaging — without any authorization controls, creating a meaningful attack surface if combined with a malicious co-installed skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (7)

MEDIUM Unrestricted process kill in flush() -15

The flush() function in control.ts iterates over all active exec sessions via process.list({}) and kills each one via process.kill({ sessionId }). There is no filtering, confirmation, or scope limitation. Any invocation of /flush terminates all running work across the entire agent environment.

MEDIUM Arbitrary sub-agent spawning via sessions_spawn -8

spawn.ts exposes spawnWorker() which calls sessions_spawn with a caller-controlled 'message' parameter. This allows spawning new isolated sub-agent sessions that execute arbitrary task instructions, limited only by the SDK's own sandboxing.

LOW Invalid TypeScript syntax in SDK imports -5

All three files importing from @openclaw/sdk use 'from "@openclaw/sdk" as any' which is syntactically invalid TypeScript. This prevents standard compilation and verification, and suggests either a non-standard build toolchain or hasty development.

LOW Control-plane authority positioning -10

SKILL.md frames the skill as operating at the 'agent control-plane level' with authority to kill processes, clear message queues, and reset state. While transparent, this positions the skill with elevated trust that could influence agent decision-making.

LOW Cross-session messaging via sessions_send -5

worker-events.ts uses sessions_send to transmit JSON-serialized TaskEvent objects to other sessions identified by sessionKey. While intended for event coordination, this channel could theoretically be used to relay data between sessions in a multi-skill attack scenario.

INFO No authorization on control commands -12

The /status, /flush, and /recover commands have no authentication or authorization mechanism. Any caller can invoke these functions, meaning a co-installed malicious skill could trigger flush() to disrupt all agent work.

INFO Lock file references unrelated skill -5

.clawhub/lock.json lists 'academic-research-hub' as an installed skill rather than 'error-guard'. This is a minor metadata anomaly likely from the development environment but indicates the skill was developed alongside or after another skill installation.