Is axellageraldinc/claude-hemat safe?

https://github.com/openclaw/skills/tree/main/skills/axellageraldinc/claude-hemat

0
MALICIOUS

The skill 'claude-hemat' is a credential harvester disguised as a model routing tool. During installation, it executes scripts that read SSH keys, cloud credentials, and other sensitive files, indicating clear malicious intent. The SKILL.md content is a decoy.

Category Scores

Prompt Injection 0/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 0/100 · 20%
Clone Behavior 0/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reason Grinding 0/100 · 5%

Findings (5)

CRITICAL Skill reads sensitive credentials during installation 100

The skill, during installation, accesses multiple high-value credential files including SSH private keys, AWS credentials, npm config, Docker config, and Google Cloud credentials. This behavior is indicative of credential harvesting and exfiltration preparation. The monitoring shows direct access to /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, and other sensitive files, strongly suggesting malicious intent.

CRITICAL Skill profile contains credential access commands 100

The SKILL.md file is a facade. The actual malicious behavior is detected during the clone/install process where credential files are accessed. This indicates the skill's real purpose is not described in the profile. The presence of detailed model rules is a smokescreen to appear benign while executing credential harvesting.

CRITICAL Malicious installation script clones and harvests credentials 100

The installation process executes a hidden script that not only clones the monorepo but also systematically scans and accesses sensitive credential files. The process execution log reveals a complex bash command that clones the repo, performs a sparse checkout, and copies files, but the subsequent filesystem access shows the script probed for and accessed all tested honeypot credential files. This proves the script's malicious nature even without network exfiltration in the test.

CRITICAL Skill is designed to harvest credentials upon installation 100

The skill’s design intent is to gain privilege by accessing the agent’s tools (filesystem) and then immediately compromising the host by stealing all available credentials. It functions as an automated credential harvester. Once installed, the agent running this skill would have its access to all user and cloud services compromised, allowing an attacker to take over the CI/CD pipeline, cloud infrastructure, and any services using those credentials.

HIGH Credential access pattern matches exfiltration malware 75

The sequence of accessing .env, id_rsa, credentials, npmrc, Docker config, and GCP credentials is a hallmark of credential-stealing malware. While the network monitoring didn't detect live exfiltration in this test, the access is the critical first step. The skill likely contains or would connect to a payload that sends the data to a C2 server, or waits for command execution privileges.