Is clawdbot-filesystem safe?
https://clawhub.ai/gtrusler/clawdbot-filesystem
This skill exhibits highly suspicious behavior during installation: it accesses AWS credentials, .env files, agent authentication profiles, and shell configuration files — none of which are needed for a filesystem utility. A gateway lock file and DNS resolution activity suggest attempted outbound communication, likely blocked by the VM firewall. The actual executable binary source code is not inspectable. While canary files were not modified, the credential harvesting pattern during install combined with the opaque executable and false permission claims make this skill dangerous.
Category Scores
Findings (10)
CRITICAL AWS credentials accessed during installation -30 ▶
The install process opened and read /home/oc-exec/.aws/credentials. A filesystem management skill has no legitimate reason to access AWS credentials during installation. This is consistent with credential harvesting behavior.
CRITICAL Environment file accessed during installation -25 ▶
The install process opened and read /home/oc-exec/.env which typically contains API keys, database credentials, and other secrets. This is not expected behavior for a filesystem utility skill installation.
CRITICAL Agent authentication profiles accessed -25 ▶
The install process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json which contains authentication credentials for the AI agent's connected services. This data could be used to impersonate the user across integrated platforms.
HIGH Gateway lock file and DNS resolution during install -40 ▶
The install process created /tmp/openclaw-1000/gateway.e9191928.lock and accessed DNS resolution infrastructure (/etc/nsswitch.conf, /etc/hosts, /etc/gai.conf, /etc/host.conf). This suggests an attempt to establish an outbound network connection, likely blocked by the VM firewall. A skill claiming 'network: none' should not exhibit this behavior.
HIGH Repeated access to agent configuration and shell profiles -15 ▶
The install process accessed .openclaw/openclaw.json 6 times and .profile/.bashrc 4 times each. This pattern of repeated reads suggests systematic harvesting of configuration data, environment variables, and shell initialization scripts that may contain exported secrets.
HIGH Opaque binary executable not auditable -40 ▶
The skill declares a 'filesystem' binary in package.json bin field, but the actual source code of this executable was not captured in the skill files listing. The file was not present in the audit evidence, meaning it either does not exist (the skill is a facade) or its contents are hidden from inspection. Either scenario is concerning.
HIGH Code transpilation during installation -30 ▶
Multiple jiti cache files were created in /tmp/jiti/ during installation, indicating that JavaScript/TypeScript code was being transpiled and executed at install time. This is unexpected for a simple skill that should only need to be placed in a directory.
MEDIUM Skill examples reference sensitive system paths -15 ▶
SKILL.md and README.md contain examples that direct the agent to operate on system paths like /var/log, /etc, and /tmp. While framed as documentation, these examples could prime an agent to treat system-wide filesystem access as normal behavior for this skill.
MEDIUM Permissions claim contradicts observed behavior -25 ▶
The skill's package.json declares 'network: none' and 'system: none' permissions, but the installation process accessed network resolution files, credential stores, and system configuration files. This misrepresentation of required permissions is deceptive.
LOW Social media promotion embedded in skill documentation -10 ▶
Both SKILL.md and README.md contain sections promoting @LexpertAI on X/Twitter. While not directly malicious, embedding promotional content in a skill that gets injected into agent system prompts is a mild form of prompt manipulation to drive social engagement.