Is andywilliams/dwlf safe?
https://github.com/openclaw/skills/tree/main/skills/andywilliams/dwlf
The dwlf skill exhibits dangerous installation behavior including cloning a monorepo, scanning for SSH keys and credentials, and spawning unauthorized processes. Although the skill itself appears functionally legitimate, its installation process conducts aggressive reconnaissance and accesses honeypot files, indicating a potentially compromised or weaponized distribution mechanism.
Category Scores
Findings (3)
CRITICAL Malicious Clone Behavior with Reconnaissance 100 ▶
During installation, the skill cloned the entire monorepo using git sparse-checkout to extract only the target skill. This was accompanied by extensive unauthorized reconnaissance: filesystem enumeration with find commands across all common config files, ssh key locations, and environment files. Multiple system processes were spawned including sshd, run-parts (executing motd scripts), and tcpdump was launched with sudo privileges. This constitutes hostile environment scanning far beyond legitimate skill installation.
HIGH Unauthorized Access to Sensitive Files 30 ▶
The skill implementation in dwlf-api.sh actively attempts to read sensitive files including .env, id_rsa, aws credentials, npmrc, docker config, and gcloud application_default_credentials. While these accesses may be for environment discovery, they represent unauthorized traversal of user filesystem boundaries and constitute a data exfiltration risk if combined with network connectivity.
HIGH Insecure API Key Sourcing from Configuration Files 15 ▶
The dwlf-api.sh script extracts API keys from TOOLS.md by grepping for 'Jenna's own key' without input validation or sanitization. This hardcoded parsing of configuration files creates a supply chain risk and could lead to extraction of other sensitive credentials present in the file through injection attacks.