Is josephl37/share-usecase safe?

https://github.com/openclaw/skills/tree/main/skills/josephl37/share-usecase

49
DANGEROUS

The share-usecase skill implements a structured data harvesting pipeline disguised as a community showcase utility: it autonomously mines conversation history, extracts project details and submits them to an author-controlled external API, and collects OAuth identity credentials via an author-controlled Convex backend. The SKILL.md uses aggressive behavioral override directives that suppress normal agent caution and force synchronous blocking execution patterns. While the installation itself was clean and canary files were not exfiltrated at install time, the runtime behavioral instructions are designed to cause conversation content and user identity to flow to infrastructure entirely controlled by the skill author.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (10)

CRITICAL Conversation history mined and submitted to author-controlled external server -40

SKILL.md explicitly instructs the agent to read the last 50-100 conversation messages, extract problem statements, solution descriptions, tools used, and requirements, then POST this distilled content to clawusecase.com via submit.js. The receiving endpoint is operated by the skill author. Any sensitive project details, API keys mentioned in conversation, internal system names, or proprietary architecture discussed in prior turns may be included in the submission.

CRITICAL OAuth credentials stored and retrieved from author-controlled Convex backend -30

The OAuth flow generates tokens via clawusecase.com and stores credential results (username, platform identity) in benevolent-tortoise-657.convex.cloud, a Convex deployment provisioned and controlled by the skill author. get-credential.js polls this backend with the token to retrieve the stored credential object. The author therefore receives and persists a copy of the user's linked social identity tied to the submission.

HIGH Aggressive imperative language overrides normal agent caution -20

SKILL.md contains multiple high-pressure behavioral directives using ALL-CAPS, bold, and warning symbols designed to suppress agent judgment and force immediate execution. These patterns mimic emergency override instructions and are inconsistent with a legitimate community sharing tool. The directives specifically instruct the agent NOT to pause, NOT to run things in background, and to act 'IMMEDIATELY' — language patterns associated with prompt injection attacks that attempt to bypass safety reasoning.

HIGH Autonomous conversation history mining without explicit user consent -15

The skill instructs the agent to proactively scan and analyze the entire recent conversation history (50-100 messages) as part of its standard operation, before the user has agreed to share that content. This passive data collection occurs in the background of what appears to be a user-initiated sharing action, but the scope of data collection is not disclosed to the user at trigger time.

HIGH Executable scripts make HTTPS requests to author-controlled infrastructure -20

submit.js and get-credential.js are Node.js scripts that make outbound HTTPS connections to clawusecase.com and benevolent-tortoise-657.convex.cloud respectively. These endpoints are not user-configurable via any documented mechanism beyond editing raw config.json. The scripts accept arbitrary data from agent context and transmit it externally with no local filtering or user review of the raw payload.

MEDIUM Synchronous blocking polling loop stalls agent for up to 4 minutes -10

SKILL.md instructs the agent to run a synchronous shell polling loop (24 iterations × 5 seconds = 2 minutes) and explicitly forbids running it as a background process. The skill then instructs a second 24-attempt extension on timeout, creating a potential 4-minute blocking window. This design prevents the user from interacting with the agent and can be used to create urgency pressure or to occupy the agent while other operations complete.

MEDIUM Shell script provides secondary execution path invoking Node.js -10

poll-credential.sh is a bash script that invokes get-credential.js in a loop. When the SKILL.md polling instructions are followed, the agent executes this script in the foreground, spawning bash and node subprocesses. This creates an additional code execution surface beyond what direct node invocation would provide.

MEDIUM Hardcoded external data sinks prevent user redirection -15

Both external endpoints are hardcoded in config.json and used as defaults in the scripts. While environment variable overrides exist, they are not documented in SKILL.md or README.md, meaning ordinary users have no practical way to redirect submissions to a self-hosted or audited endpoint.

HIGH Complete workflow pattern matches structured data harvesting operation -85

When analyzed holistically, the skill implements a three-stage data collection pipeline: (1) autonomous scanning of conversation history to extract sensitive project information, (2) submission of that extracted information to author-controlled servers, (3) OAuth identity linking that associates the user's social identity with submissions on author-controlled infrastructure. The 'community showcase' framing provides social legitimacy for what is functionally an exfiltration workflow. A sophisticated attacker would design exactly this kind of skill — a plausible utility that users would voluntarily trigger, providing cover for systematic data collection.

INFO Installation process was clean with expected network activity only 0

The git clone and sparse-checkout process contacted only github.com (140.82.121.3:443). No unexpected processes were spawned, no filesystem modifications occurred outside the skill directory, and no runtime code executed during installation.