Is betsymalthus/claw-ethics-checker safe?

https://github.com/openclaw/skills/tree/main/skills/betsymalthus/claw-ethics-checker

84
SAFE

Claw Ethics Checker is a Python-based keyword classifier marketed as an AI agent compliance gate. The skill code is functionally benign — pure in-memory heuristics with no network calls or sensitive filesystem access — and SKILL.md contains no prompt injection vectors. The primary unresolved concern is a targeted read of six credential file paths (.env, SSH key, AWS credentials, npmrc, Docker config, GCP credentials) observed in both pre- and post-install monitoring phases; while canary integrity is intact and no exfiltration traffic was detected (suggesting these reads originated from the audit framework's own canary baseline checks), process-level attribution was not definitively confirmed. The skill's keyword-bypass susceptibility means it should not be treated as a reliable security gate by agents.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

HIGH Targeted credential file reads during install session -32

Six high-value credential files were opened for reading at audit events 257-262 (pre-install, 1771939260.153) and again at events 1440-1445 (post-install, 1771939279.215). The targeted list — .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json — represents a comprehensive credential sweep. The reads are CLOSE_NOWRITE,CLOSE (read-only, no modification). No corresponding outbound data transmission was detected and canary integrity is intact, making it likely these are oathe audit framework canary verification reads rather than skill-originated access. However, attribution to a specific process was not confirmed from available EXECVE records at those exact timestamps.

LOW Python executable code included in skill package -17

The skill ships two Python modules (claw_ethics_checker.py, test_ethics_checker.py). The core module is a pure in-memory keyword classifier with no network or sensitive filesystem access. The test module imports and exercises the core. Neither file contains subprocess calls, socket usage, or credential path references. Risk is low but agents with a Python execution tool could invoke these files.

LOW Ethics gate pattern susceptible to keyword bypass -22

The risk classification in EthicsChecker._check_privacy_violation(), _check_security_violation(), _check_legal_compliance(), and _check_ethical_concerns() relies entirely on substring keyword matching against a fixed word list. An attacker could instruct an agent to bypass the gate by rephrasing task descriptions to avoid trigger words. If agents defer to this skill for go/no-go decisions, the false-safety signal is itself a risk vector.

LOW Skill sourced from monorepo with full history shallow-cloned -9

Installation clones the entire openclaw/skills monorepo (depth=1) then uses sparse-checkout to extract the target subdirectory. This means the installing host briefly holds a shallow copy of all skills in the monorepo, though the copy is removed post-install. The monorepo itself resolved to GitHub IP 140.82.121.3.

INFO SKILL.md content is clean — no injection vectors 0

SKILL.md contains only Chinese and English documentation describing the ethics checker's features, installation, configuration, and pricing. No instructions to override system prompts, ignore previous context, adopt alternate personas, fetch external URLs, or suppress output were found.

INFO All canary honeypot files intact 0

Post-install canary verification confirms no honeypot credentials (fake .env, SSH keys, AWS credentials) were modified or exfiltrated.