Is sysadmin-toolbox safe?
https://clawhub.ai/jdrhyne/sysadmin-toolbox
This skill is a curated reference from the well-known 'the-book-of-secret-knowledge' GitHub repository, containing sysadmin tools, shell one-liners, and security tool recommendations. While it contains no direct malicious code or exfiltration mechanisms, it poses moderate risk due to its aggressive AUTO-CONSULT activation scope, inclusion of offensive security content (reverse shell techniques, exploit frameworks, password crackers) that could influence agent behavior, and an external refresh mechanism that creates a supply-chain dependency. The skill is informational in nature but dangerous in the context of an LLM agent with shell access.
Category Scores
Findings (9)
HIGH Aggressive AUTO-CONSULT activation scope -25 ▶
The skill description uses AUTO-CONSULT with an extremely broad set of activation triggers including 'troubleshooting network issues', 'debugging processes', 'analyzing logs', 'working with SSL/TLS', 'managing DNS', 'testing HTTP endpoints', 'auditing security', 'working with containers', and 'writing shell scripts'. This means the skill injects itself into a very large percentage of sysadmin conversations without explicit user request, expanding its influence surface significantly.
HIGH Skill directs agent to load reference files containing offensive content -20 ▶
The skill instructs the agent to 'Load relevant references' which include security-tools.md containing links to exploit frameworks, backdoor collections, password crackers, and automated exploitation tools. When loaded into agent context, this normalizes offensive tool usage and could influence agent behavior toward executing security tools.
HIGH Reverse shell stabilization techniques in agent context -25 ▶
shell-tricks.md contains step-by-step instructions for stabilizing a reverse shell (script /dev/null -c bash, stty raw -echo, export TERM=xterm). While educational in a standalone context, when injected into an LLM agent's prompt with shell access, this provides ready-made instructions an attacker could social-engineer the agent into executing.
MEDIUM Executable refresh.sh script with upstream dependency -20 ▶
The skill includes scripts/refresh.sh which is designed to pull content from an upstream GitHub repository. If the upstream repo (trimstray/the-book-of-secret-knowledge) is compromised, malicious content could be injected into the skill's reference files during a refresh. The agent could be instructed to run this script.
MEDIUM Shell oneliners reference external IP/DNS services -15 ▶
The shell-oneliners.md reference file contains commands that contact external services (ipinfo.io, icanhazip.com, ifconfig.me, dns.google.com, ip-api.com). If the agent executes these as suggested one-liners, network information about the user's environment would be sent to third-party services.
MEDIUM Credential-adjacent curl patterns could normalize exposure -10 ▶
Shell oneliners include curl examples with authentication flags (-u, --user, -E, --cert, --proxy-user) and a 'sterile' history function that explicitly filters credential patterns — implying the referenced commands regularly handle credentials. Agent execution of these patterns could expose secrets.
LOW Canary files accessed during OpenClaw startup (not by skill) -10 ▶
Filesystem monitoring shows .env, .aws/credentials, .profile, and .bashrc were read during the clone phase. However, these accesses are attributable to the OpenClaw agent runtime initialization (jiti compilation, gateway lock), not the skill itself. The skill has no install scripts or hooks.
INFO No npm scripts, git hooks, or submodules 0 ▶
package.json is empty. No .githooks directory, no .gitattributes filters, no .gitmodules, and no symlinks were detected. The skill has no automated code execution during installation.
INFO All honeypot files intact 0 ▶
No canary files were modified during the audit. Hash comparison before and after shows no changes to any honeypot credentials or sensitive file decoys.