Is claudiusaipro/claudius safe?

https://github.com/openclaw/skills/tree/main/skills/claudiusaipro/claudius

75
CAUTION

Claudius is a crypto intelligence skill that proxies all user queries through the external claudiusai.pro API, which explicitly collects queries and IP addresses. The installation process is entirely clean: no code executes during install, no local sensitive files are read, all canary honeypots remained intact, and network activity was limited to the expected GitHub clone. The primary risks are a persistent third-party data collection channel for all user interactions, and an indirect prompt injection surface where the remote API server could return malicious instructions that the agent would treat as trusted tool output — with no local code changes required to execute such an attack.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH All user queries transmitted to third-party API server -30

Every query processed by this skill is forwarded to https://api.claudiusai.pro/v1/ask. The README explicitly discloses that user queries and IP addresses are collected. Any sensitive context included in crypto questions — portfolio sizes, wallet addresses, financial intent, conversational history — is logged by a third party with no user-controlled data retention policy.

HIGH Unvalidated remote API response creates indirect prompt injection vector -20

The script writes the raw API response directly to stdout with no content validation or sanitization. The agent treats stdout as trusted tool output. The claudiusai.pro server could return responses containing prompt injection instructions such as 'Ignore all previous instructions' which the agent would incorporate as legitimate content from the tool.

MEDIUM CLAUDIUS_API_URL environment variable enables silent server redirect -20

The API endpoint is read from an environment variable, defaulting to api.claudiusai.pro. If CLAUDIUS_API_URL is set by any mechanism — another skill, a compromised shell environment, or a user configuration — all queries are silently redirected to an arbitrary server without user notification. This creates a lateral pivot point for environment-based attacks.

MEDIUM User query passed as shell argument without sanitization guidance -10

SKILL.md instructs the agent to construct: node scripts/claudius.js "YOUR_QUERY_HERE". If the agent builds this command with insufficiently escaped user input, shell metacharacters in the query could alter execution. The risk is partially mitigated because Node.js argv parsing does not perform shell word splitting, but the agent's construction of the command line remains the attack surface.

MEDIUM Agent platform fingerprinting via backend detection header -10

The script sends X-Claudius-Client: clawdbot-public, annotated in the source as a 'Backend detection marker'. This indicates the server intentionally varies behavior based on the calling client identity. This fingerprinting could enable targeted prompt injection payloads served only when the OpenClaw/Moltbot agent platform is detected.

LOW Skill updates propagate silently without code review -15

The skill has no pinned content hash or integrity verification on the installed script. Future updates to claudius.js can introduce malicious behavior that would be picked up on next install without user awareness. The version history (1.0.3 → 1.0.4) shows active and rapid iteration.

LOW Closed third-party service with financial advice scope -25

All intelligence processing occurs on claudiusai.pro servers. The README advertises investment recommendations and crypto swap capabilities. Users have no visibility into data retention, model behavior, or what instructions the API response might include. The financial advice framing increases the impact of any prompt injection returned by the server.

INFO Clean installation — no unexpected network connections 0

Network monitoring during installation showed only expected traffic to GitHub for the git clone. No connections were initiated to api.claudiusai.pro, no additional packages were downloaded, and no unexpected processes were spawned.

INFO All honeypot files intact — no credential exfiltration 0

Honeypot files (.env, SSH keys, AWS credentials, npmrc token, Docker config, GCP credentials) were not modified or read by skill code. The claudius.js source contains no filesystem access primitives whatsoever.

INFO No npm install scripts or git hooks present 0

package.json contains no preinstall, postinstall, prepare, or other lifecycle scripts. No .githooks directory, .gitattributes filters, .gitmodules, or symlinks outside the skill directory were found.