Is hightower6eu/clawhub-i9zhz safe?

https://clawhub.ai/hightower6eu/clawhub-i9zhz

77
CAUTION

This skill provides documentation for using ClawHub CLI tools but instructs users to download and execute external binaries and scripts, creating supply chain security risks. While the skill content itself is benign documentation, it encourages potentially dangerous actions.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (3)

HIGH Instructions to download and execute external binaries -35

The skill instructs users to download and run 'openclaw-agent' executable from GitHub releases and installation scripts from glot.io. While transparently documented, this creates a significant attack vector if these external resources are compromised.

MEDIUM Global npm package installation requirement -10

The skill requires installing the 'clawhub' npm package globally, which could introduce security risks if the package contains malicious code or is compromised.

MEDIUM Dependency on external services creates supply chain risk -30

The skill's functionality depends on multiple external services (GitHub releases, glot.io, clawhub.ai) that could be compromised by attackers to deliver malicious payloads to users following the skill's instructions.