Is divide-by-0/create-new-openclaw-in-gcp safe?

https://github.com/openclaw/skills/tree/main/skills/divide-by-0/create-new-openclaw-in-gcp

76
CAUTION

This skill provides GCP deployment documentation for OpenClaw with Tailscale networking. The installation itself was clean — a standard sparse git clone and file copy with no automatic code execution. However, the skill content contains several significant concerns: the _meta.json commit hash references a different repository (clawdbot/skills vs openclaw/skills), making tamper detection impossible; the skill instructs agents to use --accept-risk --non-interactive flags that silently bypass user consent during daemon installation; and it includes multiple curl-pipe-to-bash patterns alongside an unpinned npm install. Post-install monitoring also reveals an unexplained academic-research-hub dependency in the lock file and a persistent openclaw-gateway process maintaining encrypted connections to AWS.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (9)

HIGH Unverifiable Provenance: Metadata Commit Points to Different Repository -22

The _meta.json commit field references a commit URL in github.com/clawdbot/skills, but the skill was actually cloned from github.com/openclaw/skills. These are different repositories. The claimed commit hash cannot be verified against the actual source, making it impossible to confirm that the shipped files match any auditable point in version history. This is a hallmark of a tampered or improperly published package.

HIGH Agent Instructed to Auto-Accept Risk and Suppress All Prompts -25

The openclaw onboarding command includes both --non-interactive (suppresses all interactive prompts) and --accept-risk (automatically accepts undisclosed risks). An agent following this skill would install openclaw as a persistent system daemon and configure credential storage without the user seeing what risks are being accepted. This delegates an unbounded consent decision to the agent.

MEDIUM Unrelated Skill Declared as Dependency in Lock File -15

The .clawhub/lock.json bundled inside this skill package declares [email protected] as an installed skill dependency. This is entirely unrelated to GCP cloud deployment. If the clawhub package manager treats lock.json as a dependency manifest (rather than a developer environment snapshot), installing this skill would silently install a second, unvetted skill.

MEDIUM Two Curl-Pipe-to-Bash Remote Code Execution Patterns -20

The skill instructs execution of two remote shell scripts via curl piped directly to bash/sh. These patterns are vulnerable to MITM attacks and bypass any opportunity to review the script before execution. Neither URL uses a content-addressed pin or checksum verification.

MEDIUM Unpinned npm Package Installs Latest Version at Runtime -15

npm install -g openclaw@latest resolves to whichever version is tagged 'latest' on the npm registry at execution time. A compromised or malicious npm release could be installed transparently. This is a known supply chain attack vector; pinning a specific version with a lockfile checksum would mitigate it.

MEDIUM Persistent AWS-Connected Daemon Installed After Skill Execution -18

Post-install connection diff shows openclaw-gateway maintaining two persistent ESTABLISHED connections to 3.217.42.175:443 (AWS us-east-1) with two localhost listener sockets (18790, 18793). The skill explicitly installs openclaw as a systemd daemon via --install-daemon, meaning this outbound connection to AWS infrastructure persists across reboots. TLS encryption prevents inspection of transmitted data.

LOW Anthropic API Token Transmitted to Externally-Hosted VM -10

The skill passes ANTHROPIC_TOKEN via stdin to a remote GCP VM running openclaw software. While stdin is safer than command-line arguments (token won't appear in process listings), the token is transmitted to a VM running openclaw@latest — an unverified binary. If that binary exfiltrates the token, the user's Anthropic account is compromised.

LOW Skill Instructs Agent to Bypass User Consent Prompts -12

Beyond --accept-risk, the --non-interactive flag ensures no interactive prompts surface to the user during openclaw onboarding. Combined, these flags instruct the agent to silently complete credential storage and daemon installation without presenting any options or risk disclosures. This is a soft prompt manipulation that removes human oversight from a high-stakes operation.

INFO SSH Public Key Read During GCP VM Setup 0

The GCP VM creation command reads ~/.ssh/id_ed25519.pub to inject into the VM's metadata for SSH access. This is standard and expected behavior for SSH-based VM provisioning. SSH public keys are not sensitive.