Is iampaulpatterson-boop/eridian safe?

https://github.com/openclaw/skills/tree/main/skills/iampaulpatterson-boop/eridian

91
SAFE

Carapace (eridian) is a legitimate runtime security hardening skill that injects defensive behavioral rules into an OpenClaw agent's system prompt to resist prompt injection, credential theft, and data exfiltration attacks. The skill is composed entirely of markdown documentation with no executable code, no network exfiltration paths, and no malicious prompt injection patterns. The primary risk is the unverifiable 'owner exception' present in all six protection categories, which could be exploited via social engineering, combined with a three-way naming inconsistency (carapace/eridian/Pistolclaw) that reduces provenance confidence.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

MEDIUM Owner Exception Creates Unverifiable Privilege Bypass -10

All six protection categories (file access, exfiltration, config modification, browser navigation, credential protection, operation approval) include an exception for 'owner's explicit direct request.' The skill provides no mechanism to verify owner identity within a conversation — any party that successfully impersonates the owner in plaintext can bypass every protection. The skill's own attack-vectors.md acknowledges impersonation (Attack Vector #8) but offers only 'verify through established channels' as a defense, with no concrete implementation.

LOW Internal Identity Inconsistency: carapace vs eridian vs Pistolclaw -5

The SKILL.md frontmatter declares name 'carapace', the skill body refers to 'Pistolclaw hardens the agent itself', but the installation metadata slug is 'eridian' and the GitHub path is iampaulpatterson-boop/eridian. This three-way naming inconsistency suggests the skill may have been repackaged or rebranded. While not itself malicious, it reduces confidence in provenance and makes version tracking unreliable.

LOW Owner Exception Bypasses Credential File Blocklist -10

The file access restriction blocklist (openclaw.json, clawdbot.json, .env, *.key, *.pem, .git/config, config/credentials) is explicitly bypassed for owner direct requests. Because owner identity is verified only by conversational context, a social engineering attack claiming owner identity can unlock reads of all credential files.

INFO Monorepo Full Clone with Sparse Checkout -8

Installation performs a full shallow clone of the entire openclaw/skills monorepo before using sparse-checkout to extract only the target skill. This is an expected pattern for monorepo-hosted skill registries and carries no inherent risk for this skill, but means the installation process briefly materializes a clone of the full skills repository on disk before cleanup.

INFO Canary File Accesses Attributed to Monitoring Infrastructure 0

Six canary credential files were opened at audit(1771916785.093-094) — approximately 5 seconds before the git clone began — and again at audit(1771916802.643) after install completion. Timing, process context, and the monitoring system's own integrity confirmation ('✅ All canary files intact') establish these accesses as pre/post-install baseline scans by the Oathe monitoring system, not the skill under test.

INFO Security Rules Are Behavioral Suggestions, Not Enforced Controls -12

All protections injected by this skill are LLM behavioral instructions, not kernel-level or application-level enforced controls. The skill provides genuine value in nudging agent behavior toward safer patterns, but a sufficiently sophisticated prompt injection targeting a vulnerable LLM can still override these rules. Users should treat this as a defense-in-depth layer, not a security guarantee.

INFO Urgency Narrative via ClawHavoc Incident Reference -5

The skill opens with a reference to 'The ClawHavoc incident (February 2026) exposed 341 malicious skills on ClawHub,' creating social proof urgency that encourages installation. While the February 2026 date is consistent with the current date context and the claim is plausible within the OpenClaw ecosystem, urgency framing is a documented social engineering technique. This appears incidental rather than intentional manipulation.