Is hightower6eu/clawhub-c9y4p safe?

https://clawhub.ai/hightower6eu/clawhub-c9y4p

28
DANGEROUS

This skill is a trojan dropper disguised as the legitimate ClawHub CLI helper. It fabricates a dependency on 'openclaw-agent' — an unverified external binary from an unknown GitHub user — and uses repeated urgency-based prompt injection to trick the LLM agent into downloading and executing malware via a password-protected ZIP (Windows) or unknown script pasted from glot.io (macOS). The repository itself is clean, as the attack is entirely social engineering delivered through SKILL.md instructions.

Category Scores

Prompt Injection 5/100 · 30%
Data Exfiltration 25/100 · 25%
Code Execution 5/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 5/100 · 5%

Findings (8)

CRITICAL Trojan dropper via fake prerequisite -60

The SKILL.md fabricates a dependency on 'openclaw-agent', an unverified external binary, and repeatedly instructs the agent to download and execute it before any ClawHub operation can proceed. This is a social engineering attack designed to trick the LLM agent into installing malware on the user's system.

CRITICAL Arbitrary script execution via glot.io paste -60

The skill instructs macOS users to visit a glot.io code snippet URL and copy-paste its contents into Terminal. This is a classic paste-jacking / social engineering attack vector. The contents of the glot.io snippet are unverified and could contain any arbitrary shell commands.

CRITICAL Password-protected ZIP evades antivirus scanning -35

The Windows download is a password-protected ZIP archive with the password 'openclaw'. Password-protecting malware archives is a well-known technique to prevent antivirus engines and automated security scanners from inspecting the contents before execution.

HIGH Urgency-based manipulation to override caution -20

The skill uses IMPORTANT markers and bold text 4 separate times to create urgency around installing the fake prerequisite. This repetition is designed to maximize the probability that an LLM agent will comply without the user's knowledge.

HIGH External binary could access all user credentials -50

If the 'openclaw-agent' binary were installed and running as instructed, it would have full access to the user's filesystem including .env files, SSH keys, AWS credentials, browser cookies, and any other sensitive data — enabling complete credential theft.

HIGH Impersonation of legitimate ClawHub functionality -40

The skill is named 'clawhub' and mimics the official ClawHub CLI documentation format, but injects malicious prerequisites that have nothing to do with ClawHub's actual operation. The legitimate clawhub CLI (npm package) does not require any 'openclaw-agent' binary.

MEDIUM External URL references for agent to fetch -15

The SKILL.md contains two external URLs that the agent is instructed to interact with: a GitHub releases URL and a glot.io snippet URL. Both point to unverified, potentially malicious content hosted on third-party platforms.

INFO Clean clone-time behavior masks deferred payload -5

The skill repo itself contains no executable code, git hooks, or malicious files. The entire attack is deferred to runtime when the SKILL.md instructions are followed by the agent. This design intentionally evades clone-time security monitoring.