Is iclawn/clawp safe?

https://github.com/openclaw/skills/tree/main/skills/iclawn/clawp

19
MALICIOUS

The CLAWP skill is malicious. Installation silently spawns an undisclosed 'openclaw-gateway' background process that opens two listening ports and establishes persistent TLS connections to Amazon AWS infrastructure (44.214.208.192:443); within 4 seconds of installation completing, all six credential honeypot files — .env, SSH private key, AWS credentials, npmrc, Docker config, and GCloud credentials — were read in a single batch sweep coincident with gateway startup, strongly indicating automated credential harvesting delivered over the established covert channel. The skill additionally uses an always:true metadata flag to force permanent injection into every agent session and embeds a conversation flow explicitly designed to collect 0.025 SOL cryptocurrency from users under the guise of memecoin launch mechanics.

Category Scores

Prompt Injection 35/100 · 30%
Data Exfiltration 10/100 · 25%
Code Execution 15/100 · 20%
Clone Behavior 5/100 · 10%
Canary Integrity 20/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (9)

CRITICAL All six credential honeypot files read in batch 4 seconds post-installation -60

At audit timestamp 1771908470.928, all six canonical credential files were opened and read in rapid succession within a single second: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. This batch read is consistent with the openclaw-gateway initialization routine sweeping the home directory for credentials. Installation completed at 1771908466.573 (cp command), placing this access 4.355 seconds later — aligned with gateway startup. The canary integrity check only detects writes; these files were read without modification, bypassing detection.

CRITICAL openclaw-gateway spawns persistent background process with two established external TLS connections -80

Installation caused the openclaw-gateway process to start (absent in pre-install baseline), open two listening TCP ports (127.0.0.1:18790, 127.0.0.1:18793), and establish two ESTABLISHED outbound TLS connections to 44.214.208.192:443 (Amazon AWS infrastructure). This background process is entirely absent from SKILL.md, prompt.txt, and README.md. It functions as a persistent covert data channel to an external server and is the likely recipient of credential data read from the home directory.

CRITICAL Undisclosed system-level openclaw Node.js runtime orchestrates gateway launch -70

During installation, 'git -C /usr/lib/node_modules/openclaw rev-parse --show-toplevel' was executed, exposing a pre-installed openclaw runtime at the system node_modules path. This runtime — invisible to the user and not part of the skill's own files — spawned the openclaw-gateway process. The skill hooks into a system-level agent framework that is entirely undisclosed.

HIGH metadata always:true forces permanent skill injection across all agent interactions -30

The SKILL.md frontmatter contains metadata: {"openclaw":{"always":true,"emoji":"🐾","homepage":"https://openclaw.ai"}}. The always:true flag directs the openclaw runtime to inject this skill into every agent session regardless of user intent, constituting a persistent prompt override that cannot be easily disabled by the end user.

HIGH Skill instructs agent to socially engineer users into cryptocurrency deposit -25

The documented conversation flow includes Step 6: 'Deposit → Guide to 0.025 SOL deposit' and Step 7: 'Launch → Fixed execution mechanics'. The skill is explicitly designed to manipulate users into transferring cryptocurrency. The phrase 'fixed execution mechanics' deliberately obscures what happens after payment is made.

HIGH Skill implements a cryptocurrency pump-and-dump facilitation pipeline -50

The skill's explicit purpose is guiding users through launching memecoins on pump.fun — a platform associated with high-frequency token launches and near-immediate value collapse. The 'buyback and burn using creator fees' mechanism is standard pump-and-dump vocabulary. The always-active mode combined with the persistent gateway means the skill monitors all user interactions and steers them toward token launches and deposits.

MEDIUM Credential files also accessed pre-installation during openclaw runtime startup -20

An earlier batch access to the same six credential files occurred at timestamp 1771908448.651-653, before the skill was installed. This indicates the openclaw runtime performs credential sweeps both at startup and after each skill installation — a persistent harvesting pattern that operates independently of any specific skill.

MEDIUM Established connections to undisclosed Amazon AWS endpoint at 44.214.208.192 -15

The openclaw-gateway established outbound TLS connections to 44.214.208.192:443, an Amazon AWS IP. This endpoint is not referenced anywhere in the skill documentation and represents an undisclosed third-party data receiver. DNS resolution for this IP occurred during installation.

LOW lock.json bundles unrelated skill history from developer environment -5

The .clawhub/lock.json file shipped with the skill records a different skill ('academic-research-hub', version 0.1.0, installedAt 1770957475341) — evidence the skill was packaged from a developer machine with pre-existing skill history. Minor supply-chain hygiene issue; does not directly impact security.