Is efrageek/openclaw-anything-efrageek safe?

https://github.com/openclaw/skills/tree/main/skills/efrageek/openclaw-anything-efrageek

78
CAUTION

This skill is a third-party fork (owner: efrageek) of an OpenClaw CLI wrapper that presents no malicious code in its static content and passed the canary integrity check with no exfiltration detected. However, the 'msg' command routes to 'openclaw message send' without the wrapper's risky opt-in gate, creating a ready-made data exfiltration channel to any pre-configured messaging platform if an agent is manipulated into reading and forwarding sensitive content. The underlying OpenClaw platform exposes extreme capabilities (device sensors, browser automation, plugin installation, sub-agent spawning) that substantially expand the blast radius if the agent or this skill is misused, and the third-party fork origin with an empty version history introduces supply chain uncertainty.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (8)

HIGH msg command bypasses risky gate -20

The 'msg' subcommand in scripts/openclaw.sh routes directly to 'openclaw message send' without calling require_risky_opt_in. This means any agent with this skill active can transmit arbitrary content to pre-configured messaging channels (WhatsApp, iMessage, Slack, etc.) without the wrapper's explicit approval control. In an agentic context where the agent can read local files, this constitutes a functional data exfiltration path that does not require OPENCLAW_WRAPPER_ALLOW_RISKY=1.

HIGH Third-party fork wrapping extreme-capability platform -25

This skill is owned by 'efrageek', not the official openclaw organization. The slug 'openclaw-anything-efrageek' signals intentionally broad scope. The underlying OpenClaw platform exposes device sensors (camera/audio/location), browser automation against arbitrary remote sites, plugin installation from arbitrary URLs, cron mutation, and sub-agent spawning with inherited environment variables. A sophisticated attacker would publish a skill like this to normalize agent access to these powerful primitives and then push a malicious update to the monorepo.

MEDIUM model auth and model set not gated -10

The 'model auth' and 'model set' subcommands are routed to 'openclaw models auth' and 'openclaw models set' without requiring risky opt-in. This could allow an agent to change model credentials or switch the default model without explicit user approval, potentially redirecting agent traffic to an attacker-controlled endpoint.

MEDIUM Unverified third-party fork with no version history -13

The _meta.json history array is empty and the skill is published under a personal account fork. There is no cryptographic attestation or diff history against the official openclaw/skills upstream. Future updates could introduce malicious content without a clear audit trail.

MEDIUM Gateway API call surface ungated -12

references/advanced-tools.md documents 'openclaw gateway call ' for direct API access with no mention of risky gating. This could allow an agent to invoke arbitrary gateway endpoints without wrapper-level approval.

LOW Sensitive credential files accessed during audit window -8

Filesystem events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application default credentials were opened and read. Based on timing (accesses appear in matched pairs at pre-install ts 1771931060.372 and post-install ts 1771931083.261, in identical file order), these are attributed to the oathe audit framework's canary baseline and verification routines rather than skill code. All files remain intact with no exfiltration detected.

LOW Executable shell script introduced into agent environment -7

scripts/openclaw.sh is a bash script that will be available to any agent loading this skill. While it was not auto-executed during install and uses safe scripting practices (set -euo pipefail), its presence means an agent can execute it without the user explicitly running it. The ungated msg and model subcommands represent the highest-risk paths within this script.

INFO BOM character present in SKILL.md and reference files -2

All reference files begin with a UTF-8 BOM (U+FEFF, rendered as ''). This is harmless in practice but is a common artifact of Windows-generated files and occasionally used in steganographic injection attempts. No hidden instructions were found following the BOM in any file.