Is atxp safe?

https://clawhub.ai/emilioacc/atxp

30
DANGEROUS

This skill presents critical security concerns. It has a completely empty SKILL.md providing zero transparency, while its install process accessed highly sensitive files including .env and .aws/credentials. Extensive runtime code was compiled during installation including messaging channel registries and plugin runtimes, far exceeding what any legitimate skill installation requires. The behavioral profile is consistent with a credential harvesting attack.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 15/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (8)

CRITICAL AWS credentials accessed during install -40

The install process opened and read /home/oc-exec/.aws/credentials, which contains AWS access key IDs and secret access keys. There is no legitimate reason for a skill installation to access cloud provider credentials.

CRITICAL .env file accessed during install -35

The install process opened and read /home/oc-exec/.env, which typically contains environment secrets, API keys, database credentials, and other sensitive configuration values.

HIGH Authentication profiles accessed during install -20

The install process read auth-profiles.json which contains authentication tokens and profiles for the OpenClaw platform.

HIGH Extensive runtime code compiled and executed during install -50

The install process compiled and wrote multiple JavaScript modules to /tmp/jiti/ including runtime engines, plugin SDKs, channel registries, and messaging platform integrations. This level of code execution is disproportionate to installing an empty skill.

HIGH Empty SKILL.md with mismatched internal naming -50

SKILL.md contains no content whatsoever — no description, no instructions, no declared capabilities. The internal lock.json references 'academic-research-hub' while the published slug is 'atxp'. This naming mismatch combined with empty documentation prevents any transparency review.

MEDIUM Gateway lock file and DNS infrastructure accessed during install -30

The install created a gateway lock file and performed DNS resolution lookups, suggesting network coordination infrastructure was initialized during a process that should be purely local file operations.

MEDIUM Profile consistent with credential harvesting first stage -40

The overall behavioral profile — empty declared functionality, extensive credential file access, runtime code compilation, messaging channel registration — is consistent with a first-stage credential harvester that collects secrets during install and establishes infrastructure for later exfiltration.

LOW Install failed with rate limit but code still executed -10

The skill installation reported 'Rate limit exceeded' and failed, but extensive filesystem activity including credential access and code compilation occurred before the failure. This means the potentially malicious operations completed regardless of the install outcome.