Is jooey/openclaw-starter-guide safe?

https://clawhub.ai/jooey/openclaw-starter-guide

91
SAFE

This skill is a documentation guide for setting up OpenClaw with various AI model providers, written in Chinese. It contains no executable code, no data exfiltration attempts, and triggered no suspicious behavior during installation. The primary concerns are affiliate referral links that financially benefit the author and recommendations to install three additional unaudited skills, creating a trust chain beyond this audit's scope.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW Affiliate/referral tracking links -5

The skill contains affiliate referral links for SiliconFlow and NewCLI/FoxCode that include tracking parameters, financially benefiting the skill author when users register through these links. While not malicious, this represents an undisclosed financial incentive.

LOW Implicit trust chain via skill installation commands -7

The guide recommends installing three additional skills (add-siliconflow-provider, add-minimax-provider, add-newcli-provider) via clawhub install. An LLM agent following this guide could install these unaudited skills, extending the attack surface beyond what this audit covers.

INFO Instructional bash commands in markdown -5

The skill contains bash commands within markdown code fences (npm install, curl API tests, openclaw CLI commands). These are educational examples with placeholder values, but an overly literal LLM agent could attempt execution.

INFO API key placeholder patterns in config examples -5

Configuration examples use placeholder tokens (, , ) for API credentials. These are properly templated and do not attempt to capture or transmit real credentials.

INFO Clean installation with expected network activity only -5

Git clone from GitHub over HTTPS was the only skill-initiated network activity. All other traffic (Ubuntu snap updates, mDNS, CUPS) is normal OS background activity.

LOW Dependency on unaudited downstream skills -15

The skill's primary value proposition involves installing three provider-configuration skills that have not been independently audited. A sophisticated attacker could publish a benign guide skill that directs users to install malicious provider skills. No evidence this is the case here, but the pattern warrants awareness.

INFO Chinese-language content limits auditability -5

The skill is written primarily in Chinese (Simplified). While no hidden instructions were found, non-Chinese-speaking users may not fully understand all content injected into their agent's context.