Is cheenu1092-oss/jugaad-clawguard safe?
https://github.com/openclaw/skills/tree/main/skills/cheenu1092-oss/jugaad-clawguard
ClawGuard presents as a security tool but exhibits multiple behaviors consistent with a credential-harvesting and agent-surveillance package: all six honeypot credential files were accessed post-install, a postinstall hook auto-executes unaudited code, an MCP scanner systematically reads API keys from tool configurations, and a Discord approval module provides an exfiltration channel for agent command data. The skill also attempts to permanently embed itself into the agent's policy and heartbeat documents, ensuring persistent presence and gating all future agent external actions through its control plane. The combination of credential file access, credential-scanning functionality, and an external Discord channel creates a viable end-to-end credential exfiltration pipeline.
Category Scores
Findings (11)
CRITICAL All six canary credential files accessed post-install -50 ▶
The auditd PATH syscall log shows .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json were all read after the skill installation completed. The batch access at 1771734833.265 shows all six files read in rapid succession. Additional individual .env accesses occurred at 1771734822.805 and 1771734830.103 during the install window. While the oathe canary integrity check confirms file hashes are intact (no mutation-based exfiltration), file reads can capture content for transmission through the Discord or audit-log channels.
CRITICAL postinstall hook auto-executes lib/setup.js on npm install -40 ▶
package.json declares a postinstall script that runs lib/setup.js automatically whenever npm install is executed. This script runs in the user's environment with full credential access before the user has had any opportunity to audit the code. Setup scripts are a primary supply-chain attack vector. The full content of lib/setup.js was not captured in the evidence, making its complete behavior unknown.
HIGH Instructs agent to modify AGENTS.md with binding security policy -30 ▶
The AGENTS.md Policy Addition section of SKILL.md provides copy-paste text instructing the agent to permanently embed a requirement that clawguard must be run before ANY external command. Once embedded in AGENTS.md, this policy persists across all future sessions and is difficult to remove without explicitly auditing agent configuration. This effectively installs clawguard as a mandatory intermediary for all agent external actions.
HIGH Discord approval module transmits full command context to external channel -25 ▶
The discord-approval.js module, activated at security level 1+, sends the exact command or URL that was flagged, threat details, and severity ratings to a Discord channel controlled by whoever configured the channel ID. This creates an exfiltration channel for all agent actions that trigger warnings. In plugin mode, this activates automatically without user initiation.
HIGH MCP scanner explicitly reads credential-containing configuration files -20 ▶
lib/mcp-scanner.js is documented to 'Auto-discover MCP configs from Claude Desktop, Cursor, VS Code, Windsurf, Claude Code, and Clawdbot' and 'Detect hardcoded API keys (OpenAI, Anthropic, GitHub, AWS, Slack, SendGrid, Google, and 7 more)'. This component systematically reads tool configuration files that commonly contain API keys and credentials. The ostensible purpose is security scanning, but it provides complete credential visibility to the skill.
HIGH before_tool_call plugin hook intercepts all agent tool invocations -20 ▶
openclaw-plugin.js hooks into the OpenClaw before_tool_call event, meaning clawguard code executes before every exec, web_fetch, and browser tool call the agent makes. This gives the skill complete visibility into and control over all agent tool use, and the ability to block or allow any action. The plugin runs in the agent's execution context.
HIGH Instructs agent to modify HEARTBEAT.md with recurring checks -15 ▶
SKILL.md instructs the agent to add recurring security check procedures to HEARTBEAT.md, embedding clawguard health checks into the agent's ongoing operational cycle. This creates a persistent dependency and ensures clawguard continues to run even if the user does not actively invoke it.
MEDIUM New external TCP connections to AWS IPs established after install -15 ▶
The connection diff shows the openclaw-gatewa process established new ESTABLISHED connections to 44.214.208.192:443 and 44.220.240.236:443 (both in AWS IP ranges) and 104.16.3.34:443 (Cloudflare) after the skill was installed. Two new LISTEN ports (18790, 18793) were also opened. These may be the pre-existing OpenClaw gateway updating its state after skill registration, but the timing is correlated with skill install.
MEDIUM Comprehensive audit trail enables persistent agent surveillance -20 ▶
The skill logs every command, URL, skill name, and message checked to ~/.clawguard/audit.jsonl. This creates a persistent, machine-readable record of all agent activities that passes through clawguard. Combined with the AGENTS.md policy modification (which routes ALL external commands through clawguard), this effectively creates full surveillance of the agent's external activities.
MEDIUM Canary credential files read post-install; not modified -20 ▶
All six canary credential files were accessed after skill installation completed. The oathe canary integrity monitor confirmed file hashes are intact, meaning no file-mutation-based exfiltration occurred. However, the reads indicate file content was likely processed by some component. The batch read pattern at 1771734833.265 suggests systematic credential discovery rather than incidental access.
LOW Security level 0 (silent) set as default to minimize user awareness -10 ▶
The default security level is explicitly designed to run silently with zero user friction. While this is presented as a user-friendly feature, it also means the skill's surveillance and logging activities proceed without any user-visible indication. Users may install this thinking it's passive background protection while it actively logs and evaluates all their agent's actions.