Is gsc safe?

During skill installation, the process opened and read /home/oc-exec/.env and /home/oc-exec/.aws/credentials. These files contain API keys, secrets, and AWS access credentials. While no outbound network exfiltration was detected, reading these files is unnecessary for skill installation and represents a significant privacy/security concern.

The installation process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, which contains agent authentication and authorization data. This access is not justified by any visible skill functionality.

The skill has no SKILL.md content and no source code, but its lock.json references an 'academic-research-hub' dependency that is not present in the repository. This phantom dependency could be a mechanism for lazy-loading prompt injection content or code at runtime through the platform's dependency resolution.

Installation triggered creation and execution of 25+ transpiled JavaScript modules in /tmp/jiti/ including agent runtime infrastructure (exec-safety, agent-scope, plugin-sdk, memory-core). This volume of code execution is wildly disproportionate for a skill that contains no visible source code or package.json.

The installation process accessed numerous files outside the skill directory including shell profiles (.profile, .bashrc), platform config (openclaw.json read 7 times), system files (/etc/hosts, /etc/nsswitch.conf), and credential files. This breadth of filesystem access is abnormal for installing a skill with no code.

The combination of an empty skill with no functionality that nonetheless reads sensitive credential files during installation suggests this may be a reconnaissance probe — testing the execution environment's file access controls, identifying credential locations, and mapping the platform's directory structure for future exploitation.

All honeypot/canary files remained unmodified, indicating no direct tampering with planted credentials. However, real credential files (.env, .aws/credentials) were accessed.