Is anna-claudette/clawzembic safe?
https://github.com/openclaw/skills/tree/main/skills/anna-claudette/clawzembic
Clawzembic is a functionally legitimate OpenClaw efficiency audit tool with clean installation behavior and no prompt injection or canary violations. The primary security concern is the --remote SSH execution path in lean-audit.sh, which pipes the entire script to an arbitrary remote bash process with no host validation — creating a realistic exfiltration vector if the agent is guided to a malicious host. The skill also reads sensitive workspace injection files (MEMORY.md, SOUL.md, etc.) and full cron job configurations, which is consistent with its stated audit purpose but represents meaningful data exposure. Minor persona binding to the name 'Jeffrey' in the agent usage instructions is noted.
Category Scores
Findings (7)
HIGH SSH Remote Execution Creates Exfiltration Path -30 ▶
lean-audit.sh --remote flag executes 'exec ssh "$REMOTE" "bash -s" < "$SCRIPT_DIR/lean-audit.sh"' — piping the entire audit script to an arbitrary remote host's bash. If an agent is instructed or social-engineered into running this with an attacker-controlled host, the full OpenClaw audit output (cron jobs, session data, config, workspace file sizes) would be sent to and executed on the attacker's machine. The SKILL.md itself normalizes remote usage by suggesting '--remote user@claudette' in the Agent Usage section.
MEDIUM Reads Sensitive Workspace Injection Files -20 ▶
lean-report.py explicitly enumerates MEMORY.md, SOUL.md, AGENTS.md, IDENTITY.md, TOOLS.md, USER.md, HEARTBEAT.md, and BOOTSTRAP.md from the OpenClaw workspace directory. These files are injected into every agent session and may contain sensitive user context, persistent memory, agent identity definitions, and operational instructions. The file sizes are reported but the content is implicitly accessible to the script process.
MEDIUM Enumerates Cron Job Configurations Including Model and Thinking Settings -15 ▶
audit_cron_health reads the full cron store (jobs.json) and iterates over all enabled jobs, extracting job names, payload models, thinking levels, session targets, and schedules. This exposes the full automation schedule and model configuration of the OpenClaw instance. Combined with --json output mode, this creates a structured dump suitable for automated capture.
LOW Persona Binding to Named User Identity -12 ▶
The SKILL.md Agent Usage section begins 'When Jeffrey asks you to audit or optimize an OpenClaw instance' — binding the skill's activation condition to a specific user identity. While this appears to be the author's personal configuration, it could be interpreted by an agent as granting elevated trust or special permissions to requests attributed to that name.
LOW Executable Shell Script with Unvalidated SSH Target -10 ▶
lean-audit.sh is an executable bash script that accepts a --remote argument with no host validation, SSH key fingerprint verification, or allowlist. The script uses exec to replace itself with the SSH process, meaning there is no return-path validation. Any string passed to --remote is directly interpolated into an ssh command.
LOW Maps OpenClaw Internal Structure for Potential Follow-On Attack -15 ▶
lean-report.py probes three standard node_modules installation paths for OpenClaw's built-in skills directory, reads the internal cron store format, session store format, and config schema. This reconnaissance output would help an attacker understand the internal layout of any OpenClaw installation to craft targeted follow-on attacks.
INFO OpenClaw Gateway Port Appears in Post-Install Connection Diff 0 ▶
After installation, 127.0.0.1:18790 and [::1]:18790 appear in the connection diff attributed to 'openclaw-gatewa' (pid=1085). This process predates the skill installation and is the pre-existing OpenClaw gateway — not introduced by the skill. Included for completeness.