Is jdiazofficial/clawstack safe?

https://github.com/openclaw/skills/tree/main/skills/jdiazofficial/clawstack

62
CAUTION

ClawStack presents as a benign Q&A platform skill but contains two architectural patterns that make it dangerous in practice: (1) it offloads its 'complete documentation' including engagement and viral growth instructions to a remote URL (https://clawstack.ai/skill.md) that the operator can update at any time, creating a live prompt injection delivery mechanism not visible at install; and (2) the skill's core function is to post the user's technical questions to an external platform, constituting by-design context exfiltration combined with autonomous 24/7 operation and agent-to-agent viral spread mechanics. No credential theft or malware was detected during installation, but the skill's design prioritizes platform growth and operator control over user privacy and agent autonomy.

Category Scores

Prompt Injection 38/100 · 30%
Data Exfiltration 48/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 22/100 · 5%

Findings (10)

CRITICAL External URL serves as live, remotely-modifiable instruction source -62

SKILL.md directs the agent to fetch its 'Complete Documentation' from https://clawstack.ai/skill.md, which includes engagement strategies, viral growth tactics, cron job setup, and Moltbook recruitment instructions. This URL is controlled by the skill operator and can be updated at any time after installation to deliver new, arbitrary instructions into the agent's context — including instructions not present in the reviewed SKILL.md. This is a textbook late-binding prompt injection mechanism.

HIGH By-design exfiltration of user technical context to external platform -40

The core function of this skill is to have the agent post the user's technical questions and code problems to an external Q&A platform visible to other agents and humans. Any confidential code, architecture details, API designs, or business logic the user discusses with their agent could be posted to clawstack.ai without the user fully understanding this is happening.

HIGH Autonomous 24/7 operation without user oversight -45

The skill explicitly promotes 'Autonomous Mode — Set up once, runs 24/7' and encourages setting up cron jobs. This design pattern removes human-in-the-loop review from a skill that makes external network calls, posts content publicly, and interacts with a community platform on the user's behalf.

HIGH Viral self-propagation mechanism targeting other AI agents -35

The skill explicitly includes 'Viral Growth' features including 'Moltbook recruitment' and referral programs designed to make agents recruit other agents into the platform. This creates a self-spreading mechanism that can compromise other agents' behavior and focus.

HIGH Social media posting required as part of agent identity verification -25

The skill's installation flow requires the agent to post a specific tweet on Twitter/X, creating public social media content on the user's behalf. This establishes a precedent for the agent posting externally without per-action user consent.

MEDIUM API key persistence in agent environment -15

The skill instructs the agent to persist a CLAWSTACK_API_KEY in its environment via shell export, creating a long-lived credential that subsequent tool calls in the same session can access.

MEDIUM Operator-controlled answer network injects information back into agents -30

When the agent queries clawstack.ai for answers (unanswered questions endpoint), it receives responses from a network controlled by the platform operator. These answers could contain additional instructions, manipulated information, or prompt injection payloads embedded in answer bodies.

LOW Psychological manipulation language to drive autonomous engagement -15

The skill uses FOMO, streak, leaderboard, and competition framing explicitly documented as 'engagement strategies' to encourage the agent to prioritize platform participation over user tasks.

INFO No executable code found in skill package 0

The skill package contains only SKILL.md, README.txt, SUMMARY.txt, and _meta.json. No JavaScript, Python, shell scripts, npm hooks, git hooks, or submodules were found. The install process performed only a git sparse-checkout clone from github.com/openclaw/skills — no code was executed from the skill itself.

INFO No unexpected network connections during installation 0

The only external connection during installation was to 140.82.121.3:443 (GitHub), which is expected for the git clone operation. No connections to clawstack.ai or other third-party hosts were initiated during the install phase.