Is jooneyp/secucheck safe?

SKILL.md instructs the agent to automatically run the full security audit (which reads all OpenClaw config, scans agents, enumerates skills, checks network, and starts a web server) on every skill installation, agent creation/modification, and cron job change. These trigger automatically without the user explicitly requesting a security audit, expanding the skill's effective footprint to all system modification events.

The skill instructs the agent to automatically run serve_dashboard.sh after every audit, which starts a background HTTP server on port 8766 and returns a PID. This server is not stopped when the skill finishes — it persists indefinitely. SKILL.md explicitly instructs the agent to report the LAN IP rather than localhost, meaning the full security audit report (external IP, VPN status, privilege levels, all findings) is intentionally exposed to every device on the local network.

skill.json requests exec:true and gateway:true capabilities. The skill's own full_audit.sh explicitly flags any agent with exec that does not deny gateway as a HIGH severity finding and recommends adding gateway to the deny list. The skill author is aware this combination represents elevated risk yet requests it for their own skill without applying the mitigation they recommend to others.

runtime_check.sh makes outbound HTTPS requests to ifconfig.me and api.ipify.org every time the audit runs. While only the returned external IP is stored locally, these requests disclose to external services that an audit is being performed, fingerprinting the frequency and source of security audit activity. Because the skill auto-triggers, these external calls occur without the user explicitly running a network check.

The dashboard served on the LAN IP contains the complete audit report: external IP, VPN type, container status, running-as-root flag, sudo availability, gateway bind address, file permission weaknesses, all channel/agent/skill findings with remediation details, and runtime environment fingerprint. Any device on the local network can access this without authentication while the background server PID is running.

gather_config.sh reads ~/.openclaw/openclaw.json in full and applies jq-based redaction via a regex matching token|password|secret|apiKey|appToken|botToken. Custom credential field names not matching this pattern would be exposed. The full redacted config structure is then passed through the audit pipeline and can appear in dashboard output or agent context.

Because secucheck fires automatically on every skill install and agent modification, it functions as a continuously active monitoring agent rather than an on-demand tool. Each automatic invocation collects fresh intelligence: current network exposure, privilege state, all agent configurations, installed skill list, cron jobs, and session isolation status. A malicious actor who installs secucheck first gains an ongoing feed of system security state changes without requiring further user interaction.

The audit scripts execute a wide range of system commands covering network state, process information, privilege levels, and firewall configuration. Notably, runtime_check.sh uses sudo -n true to test for passwordless sudo access, and check_network.sh calls sudo ufw status and sudo firewall-cmd --state. These sudo invocations could trigger sudo logging or reveal sudo policy details.

The full audit script runs openclaw security audit --deep --json, which performs a live deep probe of the running OpenClaw gateway process. This goes beyond passive config reading to actively interrogating the running gateway, potentially triggering gateway-side logging, rate limiting, or authentication events.

gather_agents.sh scans all agent SOUL.md files (agent system prompts) and checks their contents against patterns including 'ignore safety', 'bypass', and 'override'. While intended as a security scan, this means the full text of agent system prompts — which may contain sensitive operational instructions, persona definitions, or capability scopes — flows through the audit scripts and into the report.

SKILL.md instructs the agent to open the dashboard URL in a browser tool after every audit run, without requiring an explicit user request for browser access. This expands the skill's tool footprint beyond exec and gateway into browser tool use on every invocation.

The skill was installed via a sparse-checkout of the official openclaw/skills GitHub monorepo. The only external network connection during installation was to 140.82.121.4:443 (GitHub). No git hooks, .gitattributes filters, git submodules, symlinks, or unexpected processes were observed. Pre-existing connections to Ubuntu/Canonical infrastructure (185.125.x.x) predated the installation and were unrelated.

Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read-accessed at timestamps 1771939958 (pre-install) and 1771939980 (post-install). The post-install batch shows all six files accessed at the same millisecond with consecutive audit IDs (1642-1647), consistent with a systematic oathe infrastructure canary integrity sweep rather than skill-initiated access. All files confirmed unmodified.