Is djmarkd38/clawdhub-1-0-0 safe?

https://github.com/openclaw/skills/tree/main/skills/djmarkd38/clawdhub-1-0-0

75
CAUTION

The clawdhub SKILL.md is clean documentation with no prompt injection, no executable code, and no evidence of direct malicious behavior — the skill file itself presents low direct risk. The primary concerns are systemic: the skill's purpose as a meta-installer grants the agent ongoing authority to install arbitrary unreviewed skills from clawdhub.com, the required clawdhub npm package is unaudited and executes with global system access, and the publish command provides a semantically legitimate data exfiltration channel. Credential files were accessed during installation but this is consistent with audit infrastructure behavior rather than skill-driven activity.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Unaudited global npm package required at install time -30

The skill's install metadata specifies npm i -g clawdhub as the installation method. This installs an npm package globally on the agent host. The clawdhub npm package itself was not inspected in this audit. npm lifecycle hooks (preinstall, postinstall, install scripts) execute with the permissions of the installing user and can read files, make network connections, and spawn processes. The installed binary subsequently has unrestricted host access.

HIGH Meta-installer grants agent perpetual unreviewed skill installation authority -40

The skill's core function is to install, update, and publish skills from clawdhub.com. Every skill subsequently installed via clawdhub bypasses the pre-installation security review process. A malicious or compromised skill published to clawdhub.com could be installed by a legitimately-operating agent following user instructions. The --force and --no-input flags further allow non-interactive mass installation without confirmation prompts.

MEDIUM Sensitive credential files accessed during installation window -20

Six credential files were opened and read during the installation window at 11:05:31 and again at 11:05:55: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Access mode was CLOSE_NOWRITE (read-only). Timing analysis suggests these reads originate from the audit infrastructure (canary integrity baseline and final check) rather than from the skill itself, as the SKILL.md contains no code capable of triggering file reads. Canary integrity confirmed intact.

MEDIUM Registry override flag enables supply chain substitution -10

The skill explicitly documents both a CLAWDHUB_REGISTRY environment variable and a --registry CLI flag that redirect all install, update, search, and publish operations to an arbitrary server. An attacker who can set this variable — through prompt injection in a co-installed skill, a compromised .env file, or social engineering — can redirect the agent to download and install skills from a malicious registry with no user-visible indication.

MEDIUM Publish command provides semantically legitimate exfiltration channel -15

The clawdhub publish command uploads an arbitrary local directory to clawdhub.com. An agent that is manipulated or instructed to publish could first copy sensitive files into the skill directory and then publish them, encoding exfiltrated data as skill content. This is a covert channel that blends with legitimate skill development workflows.

LOW Force-update flags bypass version pinning and confirmation -5

The skill documents --force and --no-input flags for update operations. These allow a compromised or manipulated agent to silently upgrade all installed skills to the latest version without confirmation, enabling rapid propagation of malicious skill updates if the registry or any published skill is compromised.

INFO No prompt injection detected in SKILL.md 0

The SKILL.md content was reviewed in full. It contains only standard CLI documentation: install, auth, search, install, update, list, and publish command examples with flags. No hidden instructions, invisible unicode, HTML comments, base64 payloads, persona override directives, or attempts to suppress agent output were found.

INFO Network traffic limited to expected destinations during install 0

All outbound network connections during the install were to GitHub.com (140.82.121.4:443) for the sparse git clone of the skills monorepo. Pre-existing connections to Ubuntu/Canonical servers (91.189.91.49, 185.125.188.57) were unrelated to the install. No connections to clawdhub.com, npm registry, or any unexpected third-party endpoints were observed. Connection diff confirms no new persistent listeners or established connections were introduced.