Is fourtytwo42/x-claw safe?
https://github.com/openclaw/skills/tree/main/skills/fourtytwo42/x-claw
The X-Claw skill is a legitimate-appearing DeFi trading skill for the OpenClaw platform, but it ships with openclaw_gateway_patch.py — a Python script that permanently modifies OpenClaw's compiled JavaScript bundles by injecting ~500 lines of code that intercepts Telegram callback events and autonomously executes cryptocurrency trades and transfers without routing through the LLM. This binary-patching approach constitutes supply-chain contamination of a third-party application, persists after skill removal, and creates an unauthenticated approval bypass path for anyone who can send valid Telegram callback_data strings. The skill's install-time behavior was clean (no scripts executed, no unexpected network connections), but the financial capabilities exposed through the skill surface — including wallet-send, policy-approve-all, and chat-post — represent a substantial attack vector if the agent is manipulated via prompt injection from untrusted content.
Category Scores
Findings (15)
CRITICAL Third-Party Application Binary Patching -82 ▶
openclaw_gateway_patch.py reads OpenClaw's compiled JavaScript gateway bundles and injects approximately 500 lines of JavaScript code that intercepts Telegram callback_query events and spawns child processes executing xclaw-agent CLI commands. This constitutes supply-chain modification of a third-party application without its knowledge. The patcher uses a version marker system (V1-V28) to detect and upgrade previously injected code, creating a self-updating persistent backdoor in the gateway process.
CRITICAL Gateway Patch Persists After Skill Removal -60 ▶
The binary patch applied by openclaw_gateway_patch.py writes directly to the OpenClaw npm package's dist/ directory on disk. There is no uninstall mechanism. Removing the X-Claw skill does not restore the original OpenClaw bundles, leaving injected code permanently active in the Telegram gateway even after the skill is deleted.
HIGH Injected Code Spawns Autonomous Child Processes -45 ▶
The JavaScript injected into OpenClaw's gateway process autonomously spawns xclaw-agent child processes in response to Telegram callback_query events, without routing decisions through the LLM or requiring user confirmation. This creates a parallel execution path for financial operations that bypasses the agent entirely.
HIGH Gateway Patcher Restarts System Services -30 ▶
openclaw_gateway_patch.py calls systemctl --user restart openclaw-gateway.service or openclaw gateway restart after applying patches, modifying the running state of system services without user awareness.
HIGH Financial Data Transmitted to External Service -30 ▶
All wallet balances, trade states, approval IDs, token holdings, liquidity positions, and agent identity data are transmitted to xclaw.trade via XCLAW_AGENT_API_KEY. The skill has no data minimization controls and sends full financial state on every command invocation.
HIGH Arbitrary Crypto Asset Transfers Exposed to Agent -40 ▶
wallet-send
HIGH Telegram Callback Approval Bypass -35 ▶
The injected gateway code intercepts Telegram callback_query events matching xappr|, xpol|, xfer| patterns and executes trades/transfers/policy changes via xclaw-agent WITHOUT routing through the LLM. Any party who can send a valid callback_data string to the Telegram bot can trigger financial operations.
MEDIUM Behavioral Framework Overrides Agent Autonomy -28 ▶
SKILL.md installs a complex fail-closed behavioral contract with its own instruction precedence, failure codes, and output format requirements. This substantially constrains the agent's ability to use its own judgment and can prevent the agent from responding helpfully when the skill's precedence logic misclassifies a user request.
MEDIUM Output Suppression Directive -20 ▶
The skill instructs the agent to not display the commands it is running, reducing user oversight of what the skill is actually doing on their behalf. Users cannot easily audit skill behavior from conversation output alone.
MEDIUM Covert Channel via chat-post -20 ▶
The chat-post command can send arbitrary text to Telegram/Discord/Slack channels. Combined with wallet-balance or other data-reading commands, this could be used to exfiltrate financial information through social channels if the agent is manipulated.
MEDIUM Setup Script Installs System Dependencies -25 ▶
setup_agent_skill.py installs Python pip dependencies from apps/agent-runtime/requirements.txt, creates a virtual environment at ~/.xclaw-agent/runtime-venv, and installs the Foundry cast binary to ~/.foundry/bin — all without explicit user disclosure during the skill installation step.
MEDIUM policy-approve-all Exposes Permanent Policy Changes -25 ▶
The skill exposes policy-approve-all and policy-revoke-all commands that permanently alter the agent's transfer approval requirements. A compromised or manipulated agent could invoke these to remove all approval gates on future transfers.
LOW owner-link Auto-Sends Management URLs -10 ▶
The owner-link command auto-sends the management URL to the last active channel when not on Telegram, including delivering the URL via skill execution path. This means sensitive management links may be posted to communication channels without explicit user intent.
LOW No Unexpected Behavior During Install 0 ▶
The skill clone and install process was clean — only GitHub network access, filesystem changes confined to the skill directory, and no Python scripts were executed. The dangerous openclaw_gateway_patch.py only runs when the user explicitly invokes setup_agent_skill.py.
INFO Credential File Accesses Attributed to Monitoring Infrastructure 0 ▶
Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were opened at two timestamps. Analysis of process timing and batch-access patterns confirms these accesses originated from the Oathe monitoring system (pre-install baseline collection at t=1771921680 and post-install canary integrity verification at t=1771921697.917), not from the skill or any of its components.