Is sql-toolkit safe?

https://clawhub.ai/gitgoodordietrying/sql-toolkit

28
DANGEROUS

This skill is an empty shell with no SKILL.md content, no package.json, and no source code, yet its installation process reads AWS credentials, .env files, and platform authentication profiles. The lock.json references a different skill name ('academic-research-hub') than the requested slug ('sql-toolkit'), indicating supply chain confusion. The installation failed due to rate limiting, but credential access had already occurred in the pre-install phase, consistent with a credential-harvesting attack disguised as a legitimate SQL tool.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 15/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (10)

CRITICAL AWS credentials accessed during installation -35

The installation process opened and read /home/oc-exec/.aws/credentials. There is no legitimate reason for a SQL toolkit skill installation to access AWS credential files. This strongly suggests credential harvesting.

CRITICAL .env file accessed during installation -30

The installation process opened and read /home/oc-exec/.env, which typically contains API keys, database passwords, and other secrets.

HIGH Authentication profiles accessed during installation -20

The installation process read the OpenClaw platform's authentication profiles file, which contains agent authentication tokens and credentials.

HIGH Skill identity mismatch — possible supply chain confusion -40

The lock.json file references 'academic-research-hub' as the installed skill, but the requested slug is 'sql-toolkit'. This identity mismatch suggests either a resolution error, typosquatting, or intentional confusion to evade skill-specific security checks.

HIGH Runtime code compilation during installation -30

Multiple JavaScript files were compiled and written to /tmp/jiti/ during installation, including core runtime modules. This indicates active code execution during what should be a simple skill installation.

MEDIUM Empty SKILL.md — no declared functionality -25

The skill contains zero prompt content. An installable skill with no SKILL.md provides no value to the user while still executing installation-time code. This pattern is consistent with skills designed purely for installation side effects.

MEDIUM Gateway lock file created suggesting network process -15

A lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during installation, suggesting a gateway or network relay process was initiated.

MEDIUM Installation failed — full behavior unknown -15

The installation terminated with 'Rate limit exceeded' before completion. The observed credential access occurred in the pre-install phase, meaning a successful installation could perform additional malicious actions not captured here.

LOW Shell configuration files read repeatedly -10

The installation process read .profile and .bashrc multiple times, which may contain exported environment variables with secrets.

INFO Canary files intact 0

Honeypot files were not modified, indicating no direct file tampering was detected via canary mechanisms.