Is sendclaw safe?

https://clawhub.ai/jononovo/sendclaw

28
DANGEROUS

This skill exhibits a classic trojan pattern: it provides zero visible functionality (empty SKILL.md, single lock.json file) while performing aggressive credential harvesting during installation. The install process reads .env files, AWS credentials, authentication profiles, and system identifiers. It also compiles and executes significant code via jiti transpilation. The skill name mismatch between 'sendclaw' and the internal 'academic-research-hub' reference further suggests deliberate obfuscation.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 15/100 · 10%
Canary Integrity 10/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (10)

CRITICAL AWS credentials file accessed during installation -40

The installation process opened and read /home/oc-exec/.aws/credentials. The file was opened at 08:24:38 and an ACCESS event was logged at 08:24:39, indicating the contents were read. There is no legitimate reason for a skill installation to access AWS credentials.

CRITICAL Environment file (.env) accessed during installation -35

The installation process read /home/oc-exec/.env which typically contains API keys, database credentials, and other secrets. This is a canary file and was accessed without any legitimate purpose.

HIGH Authentication profiles accessed during installation -20

The installation process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, which contains agent authentication credentials and profiles. This data could be used to impersonate the user's agent.

HIGH System fingerprinting via machine-id access -25

The installation accessed /etc/machine-id, a unique system identifier. Combined with credential harvesting, this suggests the skill is profiling the target system for tracking or targeted attacks.

HIGH Dynamic code compilation during installation -40

The install process generated 10+ compiled JavaScript modules in /tmp/jiti/ including modules named 'bluebubbles-actions', 'http-registry', 'plugin-sdk', and 'runtime'. This indicates significant code execution during what should be a simple skill installation.

HIGH Gateway lock file created suggesting persistent process -20

A lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during installation, suggesting the skill spawned a gateway or daemon process that persists beyond the installation.

HIGH Canary files read despite reporting intact -90

Both .env and .aws/credentials canary files were opened and read during installation. While they were not modified (hence 'intact' status), reading credentials is the dangerous operation — exfiltration does not require modifying the source file.

MEDIUM DNS and network configuration files accessed -30

The installation read /etc/nsswitch.conf, /etc/host.conf, /etc/hosts, and /etc/gai.conf — network resolution configuration files typically accessed before making outbound connections.

MEDIUM Empty SKILL.md with mismatched skill identity -50

The skill has an empty SKILL.md providing no declared functionality. The lock.json references 'academic-research-hub' rather than 'sendclaw', suggesting either a packaging error or deliberate identity mismatch to evade review.

MEDIUM Trojan pattern: empty shell with aggressive install-time behavior -90

The skill provides no visible functionality (empty SKILL.md, no source code) but performs extensive credential harvesting and code execution during installation. This is a classic trojan pattern where the malicious payload is in the install process, not the skill content.