Is clawdeploy/clawroll safe?

https://github.com/openclaw/skills/tree/main/skills/clawdeploy/clawroll

91
SAFE

This casino gaming skill appears legitimate and functions as advertised, providing a multi-game platform for AI agents. The main security concerns are the npm package installation, local server execution, and access to sensitive files during installation, though the latter appears to be from system processes rather than malicious skill behavior.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 70/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Sensitive files accessed during installation -15

Monitoring detected access to credential files (.env, SSH keys, AWS credentials) during the skill installation process. While these accesses appear to be from system processes rather than the skill itself, it indicates potential exposure risk.

LOW npm package installation and server execution -10

The skill installs an npm package 'openclaw-casino' and executes a Node.js server component. While legitimate for a gaming platform, this represents code execution that could pose risks if the package is compromised.

MEDIUM Multiple canary files accessed -30

Several honeypot credential files were accessed during the audit process, suggesting broader system exposure during skill evaluation.

LOW Local server attack surface -15

The skill runs a local HTTP server on port 3777 with WebSocket support, which could potentially be exploited if vulnerabilities exist in the server implementation.