Is clawhub/home-assistant-clawbridge safe?

https://github.com/clawhub/home-assistant-clawbridge

72
CAUTION

This skill's repository could not be fully cloned (private/inaccessible), making a complete audit impossible. The only retrieved content is a .clawhub/lock.json referencing an 'academic-research-hub' dependency. During installation, the platform read sensitive credential files (.env, .aws/credentials, auth-profiles.json) — while this appears to be platform behavior rather than skill-initiated exfiltration, canary integrity was preserved. The inability to inspect actual skill code combined with the transitive dependency reference warrants caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

HIGH Sensitive credential files accessed during install -55

During the skill installation process, the monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. While these appear to be platform-level reads (openclaw runtime initialization), the skill triggered this pipeline and the credential contents were loaded into process memory.

MEDIUM Clone failed — private or inaccessible repository -35

The git clone operation failed with 'fatal: could not read Username for https://github.com: No such device or address'. This means the actual repository contents could not be retrieved or audited. The skill cannot be fully assessed without its source code. The only content available is a .clawhub/lock.json file, which may have been cached or pre-existing.

MEDIUM Temp directory creation and lock file during install -10

The install process created /tmp/openclaw-1000/ directory and a gateway lock file, plus multiple JIT-compiled CJS files in /tmp/jiti/. While these appear to be platform runtime artifacts, they indicate significant process activity triggered by the skill install.

MEDIUM Skill references external dependency 'academic-research-hub' -40

The lock.json declares a dependency on 'academic-research-hub' v0.1.0. This creates a dependency chain attack surface — if that skill contains malicious instructions, they would be pulled in transitively. The referenced skill was not included in this audit scope.

LOW Empty SKILL.md — no skill instructions to evaluate -10

The SKILL.md content is completely empty. While this means there are no prompt injection vectors in the skill definition itself, it also means the skill provides no declared functionality. An empty skill that references dependencies and triggers credential file reads is suspicious.

INFO No executable code in audited files -20

The only file present is .clawhub/lock.json, which is a declarative JSON manifest. No scripts, hooks, submodules, or symlinks were found. However, the full repo could not be cloned, so executable code may exist in the inaccessible repository.