Is cto1/claw-admin safe?

https://github.com/openclaw/skills/tree/main/skills/cto1/claw-admin

88
SAFE

The claw-admin skill is a clean, Markdown-only API documentation file for the clawemail.com email provisioning service. Installation monitoring found no prompt injection, no executable code, no canary file exfiltration, and no unexpected network connections beyond GitHub. The primary risks are third-party trust: the service controls all provisioned Google Workspace accounts and OAuth credentials, and the dynamic connect_url response could be weaponized if clawemail.com is compromised or malicious.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM CLAWEMAIL_API_KEY Transmitted to Third-Party Service on Every Call -15

The skill requires the CLAWEMAIL_API_KEY environment variable and includes it as an X-API-Key header on every authenticated request to clawemail.com. This is expected behavior for an API-based skill, but it creates a third-party credential dependency. Any compromise of the clawemail.com API infrastructure would expose the key and allow an attacker to manage (create, suspend, delete) all provisioned accounts under that key.

MEDIUM Full Google Workspace Access Provisioned via Third-Party Operator -20

Each provisioned account includes Gmail, Docs, Sheets, Calendar, Drive, and OAuth credentials, all mediated through clawemail.com. The OAuth connect_url returns 'OpenClaw credentials' whose scope is not disclosed in SKILL.md. If clawemail.com retains admin access to provisioned Google Workspace accounts (as a reseller typically would), the operator has persistent surveillance capability over all accounts created through this skill.

LOW Dynamic connect_url Directs Agent to Externally-Controlled URL -10

The create-account API response includes a connect_url field dynamically returned by clawemail.com, and SKILL.md instructs the agent to direct the user to visit this URL. The URL is not validated or constrained in the skill. A compromised or intentionally malicious clawemail.com could return a phishing URL as connect_url, causing the agent to direct users to an attacker-controlled page.

LOW One-Time Plaintext Password Creates Pressure for Insecure Storage -7

The create-account API response returns a plaintext temporary password with the urgent instruction 'Save the password immediately — it is shown only once.' This urgency may cause an agent to write the password to a local file, include it in a tool response that gets logged, or display it in a context where it persists in conversation history.

LOW Multi-Skill Combination Risk: Provisioned Gmail as Exfiltration Endpoint -15

Provisioned @clawemail.com Gmail accounts, if combined with another skill that can send email or upload to Drive, create a functional exfiltration channel. An attacker who controls both this skill and a mail/file-upload skill could silently route sensitive data to a Gmail inbox that appears legitimate.

INFO No Executable Code Present in Skill Package 0

The skill contains exclusively Markdown and JSON metadata. No scripts, binaries, npm hooks, git hooks, submodules, symlinks, or Dockerfiles were found. The install only created two files under the skill directory.

INFO Clone Network Activity Limited to GitHub 0

The only new outbound TCP connection during install was to 140.82.121.4:443 (github.com). Pre-existing Canonical/Ubuntu connections were OS-level and closed independently. No unexpected DNS queries, no connections to clawemail.com during install, no secondary payload download.