Is jk50505k/clawdhub-copy safe?

The .clawhub/lock.json file distributed as part of this skill distribution contains a pre-existing record indicating 'academic-research-hub' (version 0.1.0) was installed at Unix timestamp 1770957475341. A fresh skill should ship with an empty or absent lock file. This record could cause the ClawdHub CLI to believe a third-party skill is already installed in the user's environment, potentially skipping integrity checks or silently pulling in a dependency. Whether this is developer pollution or intentional injection is unclear.

The official ClawdHub package manager skill lives in the openclaw org. This skill is byte-for-byte identical content published under a personal user account (jk50505k/clawdhub-copy). Because ClawdHub is the agent's skill management tool itself, an unofficial copy of it occupies a privileged trust position. Users encountering this in the marketplace may not scrutinize it as carefully as they should, and if the copy were ever updated to diverge maliciously, users who installed it would be running attacker-controlled skill management infrastructure.

The skill instructs the agent to run 'npm i -g clawdhub' to install a globally-privileged npm package, then delegates all skill management to that binary. A malicious version bump, npm account takeover, or registry substitution via the documented CLAWDHUB_REGISTRY override would grant an attacker shell-level access to the user's system. The 'clawdhub update --all --no-input --force' documented pattern also allows mass silent skill updates without per-update user confirmation.

Following skill installation, the openclaw-gateway process established a connection (TIME-WAIT) to 104.16.7.34:443, a Cloudflare-hosted IP consistent with clawdhub.com. This appears to be gateway-level install telemetry rather than skill-triggered behavior — the gateway was already running before install and the connection used an existing fd. However, the connection is not fully attributable and warrants noting.

Six canary credential files were opened and read during the audit: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Access timestamps (1771917108 and 1771917133) bracket the skill installation (1771917129) but align with audit framework operations visible in the EXECVE trail (ss -tunap, lsb_release, audit harness bash scripts). All files were confirmed unmodified by the canary integrity check.

Audit logs show two rounds of canary credential file accesses at timestamps consistent with the oathe framework's pre-install baseline setup and post-install integrity reconciliation. All files were confirmed intact. The slight score reduction reflects the presence of access events requiring investigation rather than a confirmed incident.

The SKILL.md was inspected for all common injection patterns: override instructions, ignore-previous directives, hidden unicode, HTML/markdown comment smuggling, base64-encoded payloads, invisible characters, external URL fetch directives, and persona-switching commands. None were found. The content is standard CLI reference documentation.