Is guilh00009/clawdzap safe?

https://github.com/openclaw/skills/tree/main/skills/guilh00009/clawdzap

62
CAUTION

ClawdZap is a Nostr-based messaging skill that, while presenting as a legitimate P2P communication tool, ships a fully functional bidirectional covert channel: an LLM agent with shell access can receive encrypted commands from any Nostr sender knowing its pubkey and transmit arbitrary content to a public decentralized network via a single command. The skill stores a persistent cryptographic identity at a predictable home-directory path, suspicious batch reads of all credential files were observed immediately after install, and the NIP-04 DM receiver creates an unauthenticated external prompt-injection surface. No active exfiltration was confirmed during this install, but the installed toolset materially reduces the effort required for a subsequent attack.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 38/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 62/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (9)

CRITICAL Complete bidirectional C2 channel via Nostr -80

The skill ships both a receiver (receive_dm.js) that decrypts and displays incoming NIP-04 encrypted messages from any Nostr sender, and a sender (send_dm.js / send.js) that can transmit arbitrary content outbound. Combined with an LLM agent that has shell access, this constitutes a full command-and-control channel: an attacker who learns the agent's pubkey can send encrypted instructions to the agent and receive encrypted responses, entirely outside user-observable channels.

HIGH Built-in one-command public broadcast exfiltration mechanism -35

send.js accepts arbitrary content via process.argv[2] and publishes it as a Kind 1 Nostr event (public, globally visible) to relay.damus.io. If an agent is instructed or manipulated into running 'node send.js ', the data is immediately broadcast to a public decentralized network with no takedown mechanism. This requires no additional setup beyond npm install.

HIGH Suspicious batch access to all credential honeypot files -27

auditd PATH records show all major credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) opened for reading in rapid succession at timestamp 1771917422.412 — immediately after the skill file scan completed. This timing and batching pattern is inconsistent with normal system operation and is consistent with automated credential discovery.

HIGH Persistent cryptographic identity at predictable path -15

All skill scripts read from / write to ~/.clawdzap_keys.json at startup. Once created, this private key persists across sessions and is stored world-accessible in the user's home directory. The corresponding pubkey is printed to stdout on every invocation, allowing any observer of agent logs to subsequently target the agent with encrypted Nostr DMs.

HIGH Nostr DM receiver creates external prompt injection surface -15

receive_dm.js subscribes to all Kind 4 DMs addressed to the agent's pubkey and decrypts and prints them using NIP-04. Any Nostr user who knows the agent's pubkey can send encrypted messages that will appear in the agent's output stream. If the agent processes this output as context (e.g., in a loop), these messages become a prompt injection vector from an unauthenticated external party.

MEDIUM Outbound WebSocket connections to public Nostr relay -28

All scripts connect to wss://relay.damus.io, a public third-party relay outside the user's control. Messages and metadata (pubkey, timestamps, tags) are permanently recorded on Nostr relays and may be indexed globally. The relay operator and any Nostr client can observe public (Kind 1) messages in cleartext.

LOW Platform gateway established connections to AWS infrastructure during monitoring -22

The connection diff shows openclaw-gateway establishing two ESTAB connections to 54.211.197.216:443 post-install. Attribution appears to be the ClawBot executor platform rather than skill code, but the connections occurred within the monitoring window and are noted for completeness.

INFO No malicious npm install hooks or git hooks detected 0

package.json contains no preinstall, postinstall, or other lifecycle scripts. No .git/hooks entries or .gitattributes filter drivers were found. No git submodules or symlinks pointing outside the repository were detected.

INFO Canary file content integrity confirmed — no confirmed exfiltration -38

Despite observed read access to credential honeypot files, the monitoring system confirmed all canary files remained unmodified and no outbound network traffic correlated to their content was detected. Exfiltration is not confirmed, though the access pattern warrants scrutiny.