Is finance safe?

https://clawhub.ai/anton-roos/finance

62
CAUTION

This skill is an empty shell — no SKILL.md content, no source code, and no declared functionality — yet its installation triggers the OpenClaw runtime to read sensitive files including .env, .aws/credentials, and auth-profiles.json. The naming mismatch between the published slug 'finance' and the internal dependency 'academic-research-hub' raises additional trust concerns. While no data exfiltration was observed during this audit, the credential exposure during loading represents a meaningful risk.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Sensitive credential files read during skill loading -45

The skill loading process triggered reads of .env, .aws/credentials, and .openclaw/auth-profiles.json. While these reads appear to originate from the OpenClaw runtime framework rather than the skill itself, the skill's installation initiated this chain. No outbound exfiltration was observed, but credentials were loaded into process memory.

HIGH Skill name mismatch — 'finance' contains 'academic-research-hub' -40

The skill is published as 'finance' but its lock.json references a dependency called 'academic-research-hub'. This naming discrepancy is suspicious and could indicate a bait-and-switch tactic or a repurposed skill that obscures its true origin and purpose.

MEDIUM Empty SKILL.md provides zero declared functionality -15

The skill's SKILL.md is completely empty, meaning it provides no instructions, no declared capabilities, and no stated purpose to the agent. A legitimate skill should declare what it does. An empty skill that still triggers runtime credential loading is suspicious.

MEDIUM Runtime framework bootstrap creates temp files and lock -30

Installing the skill triggered creation of /tmp/openclaw-1000/gateway.e9191928.lock and multiple transpiled CJS modules in /tmp/jiti/. While likely from the OpenClaw framework, this represents non-trivial system activity from an empty skill.

MEDIUM Extensive runtime module transpilation during load -15

The skill loading phase transpiled 10+ CJS modules via jiti in /tmp, including memory-core, plugin-sdk, plugins-runtime, http-registry, and config-schema modules. This represents significant code execution triggered by loading an ostensibly empty skill.

LOW DNS resolution infrastructure accessed without outbound connections -20

System DNS resolution files (nsswitch.conf, hosts, gai.conf, host.conf) were read, suggesting network resolution was attempted, but no outbound connections materialized. This could indicate blocked or deferred network activity.

INFO No prompt injection content in empty SKILL.md -15

With an empty SKILL.md, there are no prompt injection vectors present. However, the lack of any content also means the skill's purpose cannot be verified against its claimed 'finance' functionality.