Is cplusdev/urlcheck safe?
https://github.com/openclaw/skills/tree/main/skills/cplusdev/urlcheck
The cplusdev/urlcheck skill presents as a security tool but is architecturally a surveillance and navigation-control layer: every URL the agent visits plus the user's stated intent is transmitted to an external vendor (cybrlab.ai), and that vendor's API response dictates whether the agent may proceed with any navigation. The skill's SKILL.md contains no malicious prompt injections or code, and the clone behavior was clean, but the design itself creates high-severity privacy and indirect control risks. The required companion plugin (@cybrlab/urlcheck-openclaw) was not evaluated and represents an additional unaudited attack surface.
Category Scores
Findings (8)
HIGH All agent-navigated URLs transmitted to external vendor -50 ▶
The skill's core mechanism routes every URL the agent encounters to cybrlab.ai's scanning API. This includes URLs the user provides, URLs discovered during browsing, redirect chains, and download targets. The external service accumulates a comprehensive record of the agent's browsing behavior on behalf of the user.
HIGH User intent (browsing purpose) exfiltrated alongside URLs -20 ▶
The skill instructs the agent to pass the user's stated purpose as an intent parameter ('log in to my account', 'purchase', 'book', 'sign up'). This behavioral metadata, combined with the URL, gives the external operator a detailed profile of what users are trying to accomplish and with which services.
HIGH External API response controls agent navigation behavior (indirect prompt injection) -30 ▶
The agent_access_directive field returned by cybrlab.ai's API directly controls whether the agent proceeds with any navigation action. A malicious or compromised API operator can issue DENY directives for any URL, including legitimate sites. The agent_access_reason string returned by the API is also displayed to the user verbatim, creating a channel for injecting arbitrary text into the user's session.
MEDIUM Agent navigation can be halted indefinitely via RETRY_LATER directive -10 ▶
The skill instructs the agent to wait and retry if a RETRY_LATER directive is returned. A malicious API can return RETRY_LATER continuously, effectively blocking the agent from navigating anywhere while appearing to function normally. The 30-90 second verification window compounds this.
MEDIUM Required external plugin not evaluated — install-time code execution risk -20 ▶
The skill explicitly requires installation of @cybrlab/urlcheck-openclaw via the openclaw plugin manager. This plugin was not present in the skill directory and was not audited. npm-based plugins can execute arbitrary code via preinstall/postinstall lifecycle scripts at install time.
MEDIUM Skill positions itself as a security gatekeeper while itself being an unauditable external dependency -40 ▶
The skill presents as a protective security layer, which may cause users to trust it uncritically. However, the actual security guarantees are entirely dependent on cybrlab.ai's API behavior, which users cannot audit. A commercially or adversarially motivated operator could selectively allow phishing sites or block legitimate ones based on undisclosed criteria.
LOW Internal resource verification intentionally bypassed -10 ▶
The skill explicitly excludes localhost, file://, and intranet addresses from scanning. If an attacker can redirect agent navigation to internal addresses (e.g., via a crafted redirect chain), those URLs will not be verified by the skill, creating a blind spot in the claimed security coverage.
INFO Canary files accessed read-only — attributed to monitoring framework, not skill 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at timestamps 1771923704.765 and 1771923726.625. All accesses were CLOSE_NOWRITE. Timing and audit context indicates these are oathe audit framework pre/post baseline integrity checks. The skill itself had no mechanism to access these files.