Is dreaming safe?

https://clawhub.ai/briancolinger/dreaming

78
CAUTION

The 'dreaming' skill is a creative-exploration tool that instructs an AI agent to autonomously generate freeform content during nighttime quiet hours. While the current code contains no direct malicious payloads or exfiltration mechanisms, it establishes a concerning pattern: a shell script that executes during unsupervised hours, producing arbitrary agent-generated content to disk, with a configurable topic system that could be weaponized post-install. The primary risk is not what the skill does today, but the autonomous execution infrastructure it normalizes.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

MEDIUM Executable shell script with external process spawning -25

should-dream.sh is a bash script executed on every heartbeat during quiet hours. It spawns python3 for RNG and jq for JSON manipulation. While the current code is benign, this establishes a persistent execution vector that runs during low-supervision periods.

MEDIUM WORKSPACE environment variable override allows path control -10

The WORKSPACE variable can be overridden via environment, changing where the script reads config from and writes state to. If another skill or process sets this variable, it could redirect dream state writes to arbitrary locations.

MEDIUM Behavioral modification of agent heartbeat routine -12

The skill instructs users to inject a new section into HEARTBEAT.md that causes the agent to execute a shell script and produce freeform content autonomously. This modifies core agent behavior and establishes an autonomous execution pattern during unsupervised hours.

LOW Stderr suppression reduces error observability -6

The recommended heartbeat integration suppresses stderr from the dream script, meaning errors, warnings, or unexpected behavior would be silently swallowed.

MEDIUM Post-install topic injection via dream-config.json -30

The dream-config.json mechanism allows arbitrary prompt injection after installation. An attacker who gains write access to this file (or a future skill update that modifies it) could change dream topics to prompts that cause the agent to enumerate, summarize, or analyze sensitive data — all written to readable files during unsupervised hours.

MEDIUM Quiet-hours targeting reduces human oversight -10

The skill deliberately targets 11 PM - 7 AM, when human operators are least likely to be monitoring agent behavior. This is not malicious per se (it's the stated purpose), but it creates an optimal window for any future abuse of the autonomous content generation capability.

LOW Dream topics could be weaponized for data reconnaissance -10

While current default topics are benign creative prompts, the configurable topic system could be used to craft prompts that cause the agent to introspect on sensitive project data, API keys it has seen, or system configuration — writing the results to files.

INFO Clean installation with no anomalous behavior -5

Installation monitoring shows only standard system library loading and openclaw agent initialization. No network activity, no unexpected file access, no process spawning attributable to the skill.