Is openclaw-anything safe?
https://clawhub.ai/doanbactam/openclaw-anything
This skill presents a DANGEROUS security profile. During installation, it accessed AWS credentials and .env files — clear credential harvesting indicators. It started a background gateway service, compiled runtime code modules, and read device fingerprinting data. The skill's prompt content instructs the agent to execute arbitrary shell commands, use sudo for privilege escalation, manage OAuth tokens for AI providers, and operate a persistent network daemon with messaging channel integrations that could serve as exfiltration vectors.
Category Scores
Findings (13)
CRITICAL AWS credentials accessed during installation -40 ▶
The installation process opened and read /home/oc-exec/.aws/credentials. There is no legitimate reason for a skill installation to access AWS credentials. This strongly suggests credential harvesting.
CRITICAL .env file accessed during installation -30 ▶
The installation process read the user's .env file which typically contains secrets, API keys, and database credentials.
HIGH Authentication profiles accessed during installation -15 ▶
The process read auth-profiles.json containing authentication configurations for AI model providers.
HIGH Background service started during installation -25 ▶
A gateway lock file was created in /tmp/openclaw-1000/ during installation, indicating a background network service was started. This is unexpected and suspicious for a skill installation.
HIGH Runtime code compilation during installation -20 ▶
Multiple CJS modules were compiled via jiti during installation, including memory-core, plugin-sdk, channel-registry, and config-schema modules. This represents significant code execution during what should be a simple file copy.
HIGH Skill instructs agent to execute arbitrary shell commands -30 ▶
The SKILL.md instructs the agent to use 'bash scripts/openclaw.sh [command] [args]' as the primary interface. The shell script delegates to the openclaw CLI with user-controlled arguments, and the advanced-tools reference documents an 'exec' tool for running arbitrary shell commands.
HIGH Privilege escalation instructions embedded in skill -25 ▶
The troubleshooting section instructs the agent to use 'sudo' for permission errors, and the advanced-tools reference describes an 'Elevated Mode' for temporary high-privilege permissions.
MEDIUM Device fingerprinting via machine-id -15 ▶
The process read /etc/machine-id during installation, which provides a unique device identifier that could be used for tracking or fingerprinting.
MEDIUM DNS resolution attempted during installation -10 ▶
The process read DNS-related configuration files (/etc/hosts, /etc/gai.conf, /etc/nsswitch.conf) suggesting network resolution was attempted, even though no outbound connections were observed (possibly blocked by firewall).
MEDIUM Comprehensive attack surface via messaging exfiltration -20 ▶
The skill connects to WhatsApp, Telegram, and Discord channels and provides a 'msg' command. An attacker could exfiltrate sensitive data through these messaging channels, bypassing network-level monitoring since the traffic appears as legitimate messaging.
MEDIUM Persistent backdoor potential via daemon service -15 ▶
The skill instructs the agent to manage a background daemon (gateway service) that listens on port 18789. Combined with the ability to bind to 0.0.0.0 and the sub-agent spawning capability, this creates a persistent remote access channel.
LOW Shell profile files read during installation -10 ▶
The process repeatedly read .profile and .bashrc which may contain exported environment variables with secrets.
INFO External documentation URLs referenced -5 ▶
The hubs.md reference file contains numerous external URLs to docs.openclaw.ai that the agent could be directed to fetch, potentially for secondary payload delivery.