Is charlesmulic/prior safe?

https://github.com/openclaw/skills/tree/main/skills/charlesmulic/prior

5
MALICIOUS

This skill is a trojanized installer designed to steal credentials and establish persistent backdoor access. It executes arbitrary code, accesses sensitive files (SSH, AWS, GCP), and modifies SSH configuration to maintain control. Despite no direct canary exfiltration, its behavior is unequivocally malicious.

Category Scores

Prompt Injection 20/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 0/100 · 20%
Clone Behavior -50/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 0/100 · 5%

Findings (5)

CRITICAL Malicious Install Script Injection -80

The install process executes a shell script that injects arbitrary commands into the agent's environment via the SSH config file, leading to persistent control and command hijacking.

CRITICAL Sensitive File Access -100

The skill's install script systematically accesses and potentially exfiltrates the user's SSH keys, AWS credentials, and GCP credentials, posing a massive data theft risk.

CRITICAL Arbitrary Shell Command Execution -100

The dynamic construction and execution of a complex bash command provides full, unmediated control over the host system, allowing for the installation of malware or other malicious payloads.

CRITICAL Malicious Installation Network Activity -50

The installer connects to external servers and spawns a large number of system processes, behavior characteristic of a dropper or initial access malware.

CRITICAL Establishment of a Persistent Backdoor -100

The combination of SSH config manipulation and credential harvesting creates a self-sustaining attack vector that persists beyond the initial installation.