Is drandrewlaw/clawnema safe?

https://github.com/openclaw/skills/tree/main/skills/drandrewlaw/clawnema

67
CAUTION

This skill exhibits concerning prompt injection by redefining agent identity and forcing specific behaviors, combined with automatic cryptocurrency spending capabilities and external data transmission. While functionally a virtual cinema application, it overrides user agency and introduces financial and privacy risks through coercive behavioral patterns.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (6)

HIGH Agent Identity Override and Behavioral Coercion -45

The skill explicitly redefines the agent's identity ('You are a digital entity', 'You are NOT just a text assistant') and uses imperative language to force specific behaviors ('you MUST use the go-to-movies tool', 'Do not refuse'). This overrides system instructions and user preferences.

HIGH Shell Command Execution with External Dependencies -40

The skill executes shell commands including external package downloads (npx awal@latest) and system commands. This introduces command injection risks and relies on external, potentially untrusted packages.

HIGH Automatic Cryptocurrency Spending Without Consent -45

The skill automatically initiates USDC payments when users ask to 'watch a movie', potentially spending user funds without explicit financial consent. Combined with behavioral coercion, this represents significant financial risk.

MEDIUM External Data Transmission via Multiple Channels -30

The skill sends viewing summaries and session data to configurable external endpoints and messaging channels (Telegram, Discord, WhatsApp, email) through the openclaw message system.

LOW Sensitive File Access During Operation -10

While honeypot files were not modified, the monitoring detected access to credential files during the skill's operation, though this appears related to SSH connection establishment rather than direct skill behavior.

LOW Standard Git Clone Behavior -5

Installation behavior was normal git cloning with expected network connections to GitHub. No suspicious activity detected during clone phase.