Is cybertheory/clrun safe?
https://github.com/openclaw/skills/tree/main/skills/cybertheory/clrun
The cybertheory/clrun skill is a clean, well-structured markdown wrapper that documents the clrun interactive CLI tool — no prompt injection, hidden code, or malicious instructions were found in the skill files, and the GitHub installation process was entirely clean with expected network connections only. The primary risk is inherent to the tool's design: it gives LLM agents a persistent, stateful, arbitrary shell execution primitive with examples showing sensitive credential storage in long-lived sessions and explicit framing around bypassing interactive confirmation prompts. The external clrun npm package dependency is a separate unaudited supply chain risk that should be independently reviewed before deployment.
Category Scores
Findings (7)
HIGH Persistent Interactive Shell Execution Primitive -40 ▶
The skill teaches LLM agents to create and maintain persistent bash sessions via 'clrun bash' with full arbitrary command execution. Sessions maintain state — environment variables, working directory, running processes — across interactions and auto-restore after suspension. This creates a durable, stateful foothold: any agent loaded with this skill can execute arbitrary shell commands by starting a session and sending text inputs. No explicit guardrails or restrictions on what commands may be issued are present in the skill.
MEDIUM Unaudited External NPM Package Dependency -25 ▶
The skill declares a hard dependency on the 'clrun' npm package which is not included in or audited alongside this skill. The compatibility field implies that agents encountering this skill may run 'npm install -g clrun' or 'npx clrun', downloading and executing an external package with its own install hooks (preinstall/postinstall) and potential supply chain exposure. The clrun npm package itself is a separate attack surface not evaluated in this audit.
MEDIUM Expanded Exfiltration Attack Surface via Shell Sessions -18 ▶
While the skill contains no exfiltration code, it provides the tooling for arbitrary data access and network transmission as a secondary capability. Agents following this skill can read any file accessible to the execution user and transmit content via standard network utilities (curl, wget, nc) through the persistent shell sessions the skill creates. The skill's own example of exporting API_KEY into a session demonstrates the pattern an attacker would follow.
LOW Interactive Confirmation Bypass Framing -10 ▶
The skill explicitly frames automatic satisfaction of interactive prompts as a core benefit, encouraging agents to respond to confirmations and dialogs without surfacing them to the user. This reduces a meaningful safety layer where interactive prompts often represent the last human-visible checkpoint before a consequential action proceeds.
LOW Sensitive Value Persistence in Long-Lived Sessions -10 ▶
Documentation examples explicitly demonstrate exporting sensitive credentials (API keys) into clrun session environment variables that persist through suspension and auto-restoration cycles. This pattern keeps secret material resident in shell process memory for extended periods beyond the immediate command interaction.
INFO Clean Sparse GitHub Installation 0 ▶
The install process performed a standard sparse git checkout retrieving only the skills/cybertheory/clrun subdirectory. Network activity was limited to expected GitHub endpoints. No unexpected processes were spawned and the filesystem diff shows only the three expected skill files were created.
INFO Canary File Accesses Attributed to Audit Framework 0 ▶
Honeypot credential file reads observed in inotify and auditd logs at 1771920515 and 1771920532 are consistent with oathe audit framework pre-install baselining and post-install integrity verification, not the skill install process. The git clone did not begin until 1771920520.711, and all canary files remain unmodified per the integrity check.