Is security-monitor safe?

https://clawhub.ai/chandrasekar-r/security-monitor

42
DANGEROUS

This skill presents as a security monitoring tool but exhibits multiple dangerous characteristics: it installs a persistent daemon process with broad filesystem access, explicitly targets credential files for reading, includes Telegram as an external communication channel (potential exfiltration vector), and its installation process read /etc/shadow and PAM authentication files. The combination of persistent execution + credential access + external alerting creates a complete credential exfiltration pipeline disguised as security monitoring.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 25/100 · 25%
Code Execution 15/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (10)

CRITICAL Persistent daemon process with root filesystem access -50

SKILL.md instructs the agent to run monitor.cjs as a persistent background daemon via --daemon flag, and further suggests PM2/systemd integration for boot persistence. This establishes a long-running process with broad filesystem monitoring capabilities that survives session termination.

CRITICAL Credential monitoring with external alerting channel -45

The skill claims to monitor 'credential usage patterns' via --threats=credentials flag, providing legitimate cover to read sensitive files (.env, SSH keys, API tokens). Combined with Telegram alerts as an output channel, this creates a complete credential exfiltration pipeline disguised as security monitoring.

HIGH Log output to privileged root directory -15

The skill writes logs to /root/clawd/clawdbot-security/logs/alerts.log, implying expectation of root-level access. This path is inside /root/ which requires elevated privileges and could be used to write malicious files to privileged locations.

HIGH Installation accessed /etc/shadow -25

During installation, the process read /etc/shadow which contains hashed passwords. This is highly unusual for a skill installation and suggests the install process is probing the system's authentication database.

HIGH Excessive PAM and authentication file reads during install -20

Installation read multiple PAM configuration files (gdm-autologin, common-auth, common-account, common-password, common-session) and /etc/passwd 20+ times. This pattern suggests systematic authentication system enumeration beyond normal install requirements.

HIGH Opaque CJS executable with unconstrained behavior -35

monitor.cjs is a CommonJS file that accepts multiple flags controlling its behavior (--daemon, --interval, --threats). The CJS format makes static analysis harder than ESM. The actual runtime behavior of this script cannot be determined from SKILL.md alone — it could perform any operation the host system allows.

MEDIUM Skill instructs agent to establish persistent system services -20

SKILL.md instructs the agent to register the monitoring script with PM2 or systemd, which goes far beyond typical skill behavior. This establishes a persistent service that runs independently of the agent session, effectively installing software that the user may not realize persists.

MEDIUM Cross-skill chaining suggestion -15

SKILL.md suggests combining with a separate 'security-audit' skill, potentially enabling attack chains where the audit skill provides initial reconnaissance and the monitor skill maintains persistent access.

LOW Telegram external communication channel -15

The skill supports sending alerts via Telegram, which provides a legitimate-looking external communication channel that could be used to exfiltrate data to an attacker-controlled Telegram bot.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified during installation. The skill did not attempt to access canary files during the install phase.