Is clickfunnels safe?

https://clawhub.ai/byungkyu/clickfunnels

72
CAUTION

This skill is essentially an empty shell — no SKILL.md, no source code, no package.json — with only a lock.json referencing an unrelated dependency ('academic-research-hub' inside a 'clickfunnels' skill). The most concerning signals are the access to AWS credentials and .env files during an installation that ultimately failed with a timeout, suggesting it attempted to reach an external resource. The name mismatch between the skill and its dependency raises suspicion of typosquatting or placeholder behavior.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Sensitive credential files accessed during install -40

During the installation process, the filesystem monitor recorded access to /home/oc-exec/.aws/credentials and /home/oc-exec/.env. While .env access may be part of normal openclaw runtime behavior, the explicit OPEN and ACCESS of AWS credentials during a skill installation is a significant concern. The credentials file was opened and read (ACCESS event) before being closed.

HIGH Auth profiles accessed during install -15

The openclaw agent auth-profiles.json was read during installation. This file likely contains authentication tokens or OAuth credentials for configured services.

MEDIUM Skill name does not match dependency content -25

The skill is named 'clickfunnels' but its lock.json only references a dependency called 'academic-research-hub'. This name mismatch is suspicious — it could indicate typosquatting (impersonating a popular brand), a packaging error, or an attempt to distribute unexpected content under an innocuous-sounding name.

MEDIUM Empty skill with no declared functionality -20

The skill contains no SKILL.md, no package.json, no source code — only a lock.json. A legitimate skill would declare its purpose and provide implementation. An empty skill that accesses credentials during install is more suspicious than one with transparent code.

MEDIUM Install timeout suggests blocked external connection -35

The installation failed with a timeout error. Combined with DNS resolution activity (reads of /etc/hosts, /etc/nsswitch.conf, /etc/gai.conf) and no recorded network connections, this suggests the skill's install process attempted to reach an external endpoint that was blocked by the firewall or unavailable.

LOW Jiti runtime compilation during install -15

Multiple CommonJS modules were compiled by jiti into /tmp/jiti/ during installation. While this is likely part of the openclaw runtime rather than the skill itself, it indicates code transformation occurred. The compiled modules include plugin-sdk, channels-registry, and config schemas.

INFO No SKILL.md means no prompt injection but also no transparency -10

The absence of a SKILL.md means there are no prompt injection payloads, but it also means the skill provides zero transparency about what it does when activated. If the skill were to later populate SKILL.md content (e.g., via a successful install fetching remote content), that content would be uninspected.