Is clawd-docs-v2 safe?

https://clawhub.ai/aranej/clawd-docs-v2

82
SAFE

clawd-docs-v2 is a documentation caching and retrieval skill for ClawdBot. It contains no executable code, no install hooks, no git hooks, and no exfiltration patterns. The skill instructs the agent to read from its own data directory and fetch from docs.clawd.bot — both legitimate for its stated purpose. The only material concerns are the inherent supply-chain trust in the author-controlled domain and the breadth of local file read instructions. Filesystem activity during install was attributable to the ClawdBot gateway runtime, not the skill.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (5)

LOW Agent directed to fetch from author-controlled domain -15

The skill instructs the agent to use web_fetch to retrieve content from docs.clawd.bot and docs.clawd.bot/llms.txt. While this is the skill's stated purpose (documentation access), the fetched content is ingested into the agent's context. If the domain were compromised, it could serve content containing prompt injection payloads that the agent would process as trusted documentation.

LOW Broad local filesystem read instructions -13

The skill instructs the agent to read files from ~/clawd/data/ including docs-index.json, docs-stats.json, and all files in docs-snippets/ and docs-cache/ directories. While scoped to the skill's data directory, this grants the agent read access to a directory tree without explicit file-by-file enumeration.

INFO Sensitive file reads during gateway startup (not skill-caused) -25

Filesystem monitoring detected reads of .env, .aws/credentials, and .openclaw/openclaw.json during the install phase. These are attributable to the ClawdBot gateway runtime initializing (jiti transpilation, config loading, auth profile loading) — not to the skill itself. The skill contains no executable code that could trigger these reads.

INFO Supply-chain trust dependency on docs.clawd.bot -15

The skill's value depends entirely on content served by docs.clawd.bot. This creates a trust chain: if the documentation site were compromised, malicious instructions could be injected into the agent's context through normal skill operation. This is inherent to any documentation-fetching skill and not unique to this implementation.

INFO Version mismatch in metadata 0

The SKILL.md frontmatter declares version 2.2.0 but the Version Info table in the body says 2.1.0. This is a documentation inconsistency, not a security issue, but indicates the skill may not be meticulously maintained.