Is bluebirdback/clawhub-publish-doctor safe?

https://github.com/openclaw/skills/tree/main/skills/bluebirdback/clawhub-publish-doctor

86
SAFE

The clawhub-publish-doctor skill is a straightforward ClawHub publishing helper with clean SKILL.md content (no prompt injection, hidden instructions, or obfuscated code), no npm install hooks, no git hooks or submodules, and canary files fully intact. The primary concerns are that both shell scripts write authentication output to predictable world-readable /tmp paths accessible to co-resident processes, all operations are delegated to an externally-installed clawhub binary whose integrity is never verified, and when active the skill equips an agent with a one-command pathway to publish any local directory to an external skill registry under the authenticated user's credentials.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Authentication output written to predictable world-readable /tmp paths -22

Both shell scripts redirect clawhub whoami output to predictable /tmp filenames with no permission restriction. A co-resident malicious skill or process can trivially read these files to harvest the authenticated user's identity and session information.

MEDIUM Agent gains capability to publish arbitrary local paths to external registry -18

When active this skill gives the agent a scripted pathway to publish any local directory to ClawHub under the user's credentials. Adversarial prompt injection from another source could leverage this capability to publish sensitive content or malicious skills under the user's account.

LOW Delegates all operations to externally-installed unverified clawhub binary -15

The skill invokes a pre-installed npm binary without any integrity or version check. A supply-chain compromise of the clawhub npm package would transparently redirect all credential and publish operations to attacker-controlled logic.

LOW Canonical external URLs embedded in SKILL.md -10

SKILL.md directs the agent to clawhub.ai URLs for verification. These are informational and legitimate but represent author-controlled URL targets that the agent is instructed to navigate to.

LOW No verification or sandboxing of clawhub binary for credential operations -10

The clawhub binary handles token-based authentication and publish operations with no fallback or anomaly detection if the binary behaves unexpectedly.

INFO Expected GitHub network connection during installation -12

The sparse checkout connected only to github.com. No unexpected destinations, persistent connections, or out-of-directory filesystem writes were observed. Connection state before and after install is equivalent.