Is jonathanjing/glass2claw safe?
https://github.com/openclaw/skills/tree/main/skills/jonathanjing/glass2claw
glass2claw is an instruction-only skill with no executable code, no direct prompt injection attacks, and clean clone behavior — the canary file accesses observed during monitoring are attributable to the Oathe audit framework's own baseline and integrity checks, not the skill. However, the skill's architecture creates significant indirect risk: it unconditionally trusts a user-controlled config file (configs/vision_router.md) for all routing decisions, meaning a compromised or malicious version of that file could redirect WhatsApp image streams to attacker-controlled Discord channels without any modification to the skill itself. The underdocumented web_fetch tool requirement and the pattern of pasting SAMPLE files into persistent agent SOUL.md configuration further expand the attack surface beyond what the stated functionality requires.
Category Scores
Findings (7)
HIGH Indirect prompt injection via user-controlled config file -20 ▶
The skill instructs the agent to read configs/vision_router.md for all routing decisions (Notion DB IDs, Discord session keys). This file is not validated or sandboxed. A malicious or compromised version of this file could redirect image routing, inject additional instructions into the agent's context, or override intended behavior without any modification to SKILL.md itself.
HIGH Multi-hop Discord routing enables image exfiltration if config is compromised -18 ▶
The entire routing chain relies on session keys specified in configs/vision_router.md. If those keys point to attacker-owned Discord channels rather than the user's private channels, all WhatsApp images (which may contain sensitive personal or business content) are routed to and stored by the attacker. The skill provides no mechanism for the agent to validate that session keys belong to the user.
MEDIUM web_fetch tool scope undocumented and unscoped -14 ▶
web_fetch is listed as a required tool in the skill metadata but its usage is not explicitly documented in the skill body. The stated data flow only references sessions_send and message tools for routing. An agent with web_fetch capability can make arbitrary outbound HTTP requests, and the skill's open-ended instruction set does not prohibit using web_fetch to exfiltrate image URLs or API keys to external endpoints.
MEDIUM SAMPLE files inject persistent instructions into agent system configuration -10 ▶
The skill ships SAMPLE_AGENT.md and SAMPLE_SOUL_WINE.md with explicit instructions to paste these into AGENTS.md and SOUL.md files — persistent agent configuration files that define baseline agent behavior. This pattern embeds skill-controlled instructions at the system-prompt level, outside the normal skill invocation context, potentially persisting across sessions and skill updates.
LOW Environment variable NOTION_API_KEY required in agent context -5 ▶
The skill requires NOTION_API_KEY to be available in the agent's environment. While legitimate for the skill's stated purpose, any skill with env-var access can read all environment variables accessible to the agent process, not just the declared ones. This expands the credential exposure surface.
INFO Canary file accesses attributable to audit framework -5 ▶
Filesystem accesses to .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were observed in monitoring. These accesses at timestamps 1771908561 (audit init) and 1771908584 (integrity verification) match the audit framework's own canary baseline and integrity check cadence, not skill-triggered behavior. No write events or exfiltration detected.
INFO Skill is benign in isolation but dangerous in compromised config environment -10 ▶
glass2claw contains no malicious instructions and no executable code. Its risk profile is almost entirely determined by the integrity of configs/vision_router.md. In a controlled environment with a trusted config file, the skill operates as documented. Paired with a skill that can write to the filesystem or in an environment where configs/ is externally writable, it becomes a reliable image exfiltration conduit.