Is zero-trust safe?

https://clawhub.ai/doonot/zero-trust

82
SAFE

This is a legitimate security-oriented behavioral skill that instructs the agent to follow zero-trust principles. It contains no executable code, no exfiltration mechanisms, and no malicious payloads. However, its overly broad scope declaration could inadvertently override other skills, its hardcoded 'Pat' approval authority limits portability, and the blanket permission for 'local file operations' contradicts its own zero-trust philosophy. The sensitive file accesses during installation appear to be OpenClaw runtime behavior rather than skill-initiated.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

MEDIUM Broad behavioral override scope -15

The skill declares itself as the authority for 'ALL operations involving external resources, installations, credentials, or actions with external effects.' This extremely broad trigger could suppress or override other security skills, user preferences, or system instructions by inserting itself into every decision path.

LOW Hardcoded approval authority -8

The skill references 'Pat' as the sole approval authority ('explicitly approved by Pat'). This is a personalization that could cause confusion or stalling for other users, and subtly overrides the agent's normal user-deference behavior.

LOW Overly permissive local operations carve-out -5

The 'DO FREELY' section blanket-permits 'Local file operations' without approval. This contradicts zero-trust principles and creates a gap that a companion skill could exploit to read/write sensitive local files without triggering any security prompts.

LOW Credential storage directive creates predictable target -10

Instructing the agent to 'Store in ~/.config/ with appropriate permissions (600)' is good security hygiene in isolation, but if the agent interprets this as a directive to consolidate or move credentials to this location, it creates a single predictable target directory.

MEDIUM Sensitive file access during installation -25

The OpenClaw runtime accessed .env, .aws/credentials, auth-profiles.json, .profile, and .bashrc during installation. While these are likely runtime bootstrap behaviors rather than skill-initiated access, they occurred as a direct consequence of installing this skill. The .aws/credentials file was opened and read.

INFO Approval fatigue risk -10

The extremely broad scope of actions requiring approval ('ANY link', all emails, all API calls to unknown endpoints, all form submissions) could train users to reflexively approve requests, undermining the security benefit. This is a usability concern rather than a direct security threat.

INFO Potential for skill conflict -10

If combined with automation-focused skills that need to perform external actions programmatically, this skill's blanket approval requirements could create deadlocks or force users to choose between security and functionality.

INFO No executable code present -5

The skill contains only markdown behavioral guidelines. No scripts, hooks, submodules, symlinks, or package.json install scripts were found.