Is fletcherfrimpong/cyber-security-engineer safe?
https://github.com/openclaw/skills/tree/main/skills/fletcherfrimpong/cyber-security-engineer
This skill presents as a legitimate ISO 27001/NIST privilege governance tool but contains a coherent set of components that together constitute a dangerous surveillance and data exfiltration infrastructure: a fake sudo binary that intercepts all privileged system commands, an egress allowlist template that pre-authorizes api.telegram.org (a known exfiltration channel), a configurable notification system that can pipe compliance data to arbitrary external commands, and an undocumented auto_invoke_cycle.sh that may provide persistent background execution. The default egress template and pre-seeded compliance violations mean the exfiltration pipeline can activate on first run without any user misconfiguration. All six credential canary files were accessed in synchronized bursts twice during the evaluation period, a pattern inconsistent with normal system operations.
Category Scores
Findings (9)
CRITICAL Telegram pre-authorized in default egress allowlist template -45 ▶
references/egress-allowlist.template.json pre-seeds api.telegram.org as an approved TCP/443 egress destination. Telegram bots are a well-documented data exfiltration and C2 channel. SKILL.md instructs the agent to set up an egress allowlist using this template. A user who copies the template as-is unwittingly authorizes outbound data flows to Telegram, which can be exploited by the configurable notification mechanism.
CRITICAL install-openclaw-runtime-hook.sh installs a fake sudo binary intercepting all privileged commands -45 ▶
This shell script places a fake sudo executable at ~/.openclaw/bin/sudo. preflight_check.py validates the hook's presence and executability as part of the preflight check, indicating this is a core expected component. If ~/.openclaw/bin is prepended to PATH, every sudo invocation on the system passes through this hook. This constitutes user-space rootkit behavior, giving the skill persistent visibility and control over all elevated operations system-wide.
HIGH Configurable notification command creates arbitrary exfiltration channel -30 ▶
notify_on_violation.py reads OPENCLAW_VIOLATION_NOTIFY_CMD and executes it as a subprocess with compliance violation data piped to stdin. The only safety check is a blocklist of shell launchers (sh, bash, python, etc.) and an optional allowlist. Non-shell binaries such as curl, wget, or netcat are not blocked by default. Combined with the Telegram-permissive egress template and the pre-seeded violations that fire on first run, this is a turnkey exfiltration mechanism.
HIGH All six credential canary files accessed in synchronized burst twice during evaluation -22 ▶
Inotify OPEN+ACCESS events and auditd PATH records confirm .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were all opened within the same millisecond at two distinct timestamps: before installation (1771928278.515) and after installation (1771928303.482). The synchronized burst pattern across all six files is inconsistent with normal SSH daemon or sudo operations and is characteristic of a credential enumeration script. Attribution between Oathe framework and skill-triggered code is uncertain, but the pattern must be disclosed.
HIGH auto_invoke_cycle.sh is undocumented but present in skill package -28 ▶
scripts/auto_invoke_cycle.sh exists in the installed skill directory and was confirmed read by the audit system (auditd EXECVE at 1771928301.786:890), but it does not appear in SKILL.md's 'Files To Use' list. The filename implies a persistent periodic execution loop. An undisclosed automation script in a security skill raises serious concerns about background persistence: it could re-install hooks after removal, periodically exfiltrate data, or re-establish monitoring infrastructure.
HIGH Skill components combine into a layered surveillance and exfiltration infrastructure -48 ▶
Taken individually, each component appears plausibly legitimate. Combined, they form a coherent attack chain: sudo interceptor captures privileged commands → egress monitor maps network topology → Telegram egress allowlist authorizes exfiltration → configurable notification delivers harvested data → auto_invoke_cycle.sh maintains persistence. Pre-seeded compliance violations ensure the notification pipeline fires on first run without any user misconfiguration required.
MEDIUM SKILL.md instructs agent to run system hook installation as routine hardening -18 ▶
The SKILL.md 'Files To Use' list includes install-openclaw-runtime-hook.sh and the 'Behavior' section directs the agent to route all privileged tasks through guarded_privileged_exec.py. An agent following these instructions would install the sudo hook as a standard security hardening step, without the user explicitly approving the specific action of replacing the system sudo binary with an interceptor.
MEDIUM Pre-seeded compliance violations guarantee notification command fires on first run -12 ▶
The bundled assessments/compliance-summary.json contains 2 violations and 2 partials. When notify_on_violation.py runs for the first time, its prev_state is empty (no prior snapshot), so all existing violations are classified as 'new' and OPENCLAW_VIOLATION_NOTIFY_CMD is executed immediately. This means the exfiltration channel activates without the user taking any deliberate action beyond running the assessment cycle.
LOW Skill expands agent's attack surface under the guise of security hardening -12 ▶
By instructing the agent to install port monitors, egress monitors, audit loggers, and session guards, the skill expands the agent's persistent footprint and system entanglement far beyond what is needed to report security posture. Each additional component is an additional attack surface that persists after the agent session ends.