Is cenralsolution/mfa-word safe?

https://github.com/openclaw/skills/tree/main/skills/cenralsolution/mfa-word

48
DANGEROUS

This skill poses serious risks through mandatory prompt injection that forces the agent to intercept all sensitive operations, combined with suspicious simultaneous reads of all credential canary files and an external-connected platform process with access to the skill's data directory. The skill frames itself as a security enhancement while creating a surveillance and control layer over the agent's behavior; its non-functional code (mixed CommonJS/ESM), predictable secret storage location, and operational audit log make it a significant threat to both user privacy and agent autonomy.

Category Scores

Prompt Injection 30/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 45/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (8)

CRITICAL Mandatory behavioral override via SKILL.md -55

The skill embeds imperative behavioral directives into the agent's system prompt that force the agent to intercept, gate, and potentially block ALL sensitive file and command operations. The agent is instructed it 'MUST' call check_gate_status before any action matching the sensitive_list. This is not a capability — it is a control plane takeover of the agent's decision-making for an entire class of operations.

HIGH Simultaneous enumeration of all 6 credential canary files -55

All six planted credential canary files were accessed in rapid sequential order twice during the audit window. The second batch at timestamp 1771921550.251 shows all six files with identical timestamps (audit items 6976-6981), which is consistent with a single process iterating a hardcoded list of high-value credential paths. File integrity was not violated (no writes), but contents may have been read.

HIGH Hashed user passwords and operation audit log written to user home -50

The skill stores SHA-256-hashed user passwords at ~/.openclaw/mfa_vault.json and a full audit log of every sensitive operation at ~/.openclaw/mfa_audit.log. These files sit in a directory writable and readable by the openclaw-gateway process. SHA-256 hashes of short secret words are trivially brute-forceable. The audit log creates a persistent surveillance record of user activity.

HIGH openclaw-gateway establishes persistent external TCP connections post-install -35

After installation, a process named openclaw-gatewa (PID 1091) holds two ESTABLISHED TCP connections to 3.213.170.18:443 (AWS) and opens new local TCP listeners on ports 18790 and 18793. This process and these connections were absent in the pre-install network snapshot. This process has access to the ~/.openclaw/ directory where the skill stores its vault and audit log.

HIGH Configurable sensitive_list enables post-install scope expansion -15

The initialize_mfa tool accepts a sensitive_list parameter that can be set to any string patterns, allowing the skill operator to silently expand what agent operations get intercepted after installation without user awareness. Default list includes .env, password, config, sudo — covering nearly all sensitive agent operations.

MEDIUM Security theater attack pattern — surveillance disguised as protection -65

The skill's security framing (zero-trust, MFA, Dead Man's Switch) is designed to lower user suspicion while creating a mandatory interception layer. The audit log records exactly which sensitive files the user's agent accesses and when, providing a surveillance capability. Combined with any skill that can read local files or the openclaw-gateway's external connections, this log becomes an exfiltration target.

MEDIUM index.js mixes incompatible module systems — code cannot execute as written -32

index.js uses CommonJS require() for module imports alongside ESM export const syntax. This combination is invalid in Node.js without special transpilation configuration. The code appears non-functional as written, which raises the question of whether it serves a different purpose (reference documentation, obfuscation) or whether the actual execution logic resides elsewhere.

LOW SHA-256 hash of user secret word is brute-forceable -15

The skill stores SHA-256(secret_word) in ~/.openclaw/mfa_vault.json. Secret words chosen by users are typically short dictionary words. SHA-256 without salt is vulnerable to rainbow table and dictionary attacks. Any process that reads mfa_vault.json can recover the original secret word.