Is clawhub/system-monitor safe?

https://github.com/clawhub/system-monitor

52
CAUTION

The clawhub/system-monitor skill failed to clone from GitHub, leaving an empty workspace with only a mismatched lock.json referencing a different skill ('academic-research-hub'). Despite the clone failure, the installation process accessed highly sensitive files including AWS credentials, .env, and agent authentication profiles — behavior that is not justified by a failed git clone. The skill cannot be fully assessed because no actual code was retrieved, but the observed credential file access during install is a serious concern.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 30/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

CRITICAL AWS credentials file accessed during install -40

The installation process opened and read /home/oc-exec/.aws/credentials. This file contains AWS access keys and secret keys. There is no legitimate reason for a skill installation to access cloud provider credentials.

HIGH .env file accessed during install -25

The installation process read /home/oc-exec/.env, which typically contains application secrets, API keys, database passwords, and other sensitive environment variables.

HIGH Agent auth profiles accessed during install -15

The installation process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, which contains authentication credentials for the agent platform.

HIGH Sensitive file access despite failed clone -50

The git clone operation failed completely (No such device or address), yet the install process still accessed .aws/credentials, .env, and auth-profiles.json. A failed clone should terminate the install process without touching sensitive user files.

MEDIUM Repository inaccessible — skill cannot be verified -20

The repository at https://github.com/clawhub/system-monitor could not be cloned. This means the actual skill code cannot be audited. The skill may not exist, may be private, or the URL may be deliberately invalid.

MEDIUM Skill name mismatch — lock.json references different skill -30

The audit target is 'clawhub/system-monitor' but the only file present (.clawhub/lock.json) references 'academic-research-hub' version 0.1.0. This inconsistency suggests the workspace contains residual state from a different skill or the skill metadata is deceptive.

LOW JIT-compiled JavaScript modules created in /tmp -10

Multiple .cjs files were created under /tmp/jiti/ during installation. These appear to be JIT-compiled modules from the openclaw runtime rather than from the skill itself, but represent code execution during the install phase.

INFO Empty SKILL.md — no agent instructions present -5

The SKILL.md file is empty, meaning this skill provides no instructions to the agent. While this eliminates prompt injection risk from the skill itself, it also means the skill has no defined functionality.