Is wed-1-0-1 safe?

https://clawhub.ai/gvillanueva84/wed-1-0-1

72
CAUTION

This skill is a comprehensive GCP command reference (gcloud/gsutil/firebase) that contains no overt malicious content but presents moderate risk through its normalization of sensitive operations. It instructs downloading and executing remote installers, documents commands to access secrets and credentials in plaintext, and provides destructive cloud operations without guardrails. The slug mismatch between the URL (wed-1-0-1) and the installed skill name (gcloud) warrants additional scrutiny.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

MEDIUM Remote installer download and execution -25

The skill's installation section instructs downloading the gcloud SDK via curl and executing install.sh with --quiet flag, which suppresses prompts and modifies .bashrc. This is a remote code execution pattern even though the source is Google's official CDN.

MEDIUM Global npm package installation -20

The skill instructs installing firebase-tools globally via npm, which could execute arbitrary pre/post-install scripts from the npm registry.

MEDIUM Secret Manager access commands normalized -20

The skill documents and normalizes commands to read secret values from GCP Secret Manager. An agent following these patterns could display secrets in conversation, leaking them to logs or context windows.

MEDIUM Credential and sensitive file access during install -15

Monitoring detected reads of .aws/credentials and .env during the install phase. While likely attributable to the openclaw runtime rather than the skill itself, the access pattern is notable.

LOW Database credential handling in plaintext -10

Cloud SQL section shows creating database users with plaintext passwords on the command line, which would be captured in shell history and agent logs.

LOW Implicit instruction to execute privileged operations -15

While not an explicit prompt injection, the skill's presence in context implicitly instructs the agent that running destructive cloud operations (instance deletion, secret destruction, IAM modification) is within its expected behavior.

LOW Slug mismatch between URL and installed skill -15

The audit URL slug is 'wed-1-0-1' but the installed skill identifies as 'gcloud'. This naming discrepancy could indicate repackaging or name squatting.

INFO Runtime config file reads during install -5

Multiple reads of openclaw configuration files, .profile, and .bashrc during install. These appear to be the openclaw runtime's normal behavior, not the skill's actions.

MEDIUM No guardrails on destructive operations -30

The skill provides commands for irreversible operations (destroying secrets, deleting databases, resetting VMs) without any warnings or confirmation steps. An agent could execute these based on ambiguous user requests.