Is karda8752/sawiex safe?

The skill package ships a .clawhub/lock.json that declares academic-research-hub v0.1.0 as an installed dependency (installedAt: 1770957475341, approximately Feb 14 2026). Lock files belong to the user's ClawHub environment and record their own installed skills — they have no legitimate place bundled inside a skill package. If ClawHub's installer merges or respects this file during installation, it would silently register academic-research-hub as installed in the user's skill environment without the user ever explicitly choosing to install it, potentially triggering its automatic activation or satisfying dependency resolution checks across the user's other skills.

The skill.md file is completely empty. There is no functionality, no description, no slash commands, and no reason any user would intentionally install this skill. The combination of zero legitimate content with a bundled dependency-injection lock.json is the defining pattern of a supply chain attack: a hollow package whose sole purpose is to force a secondary, potentially malicious package (academic-research-hub) into the victim's agent environment without their knowledge or consent.

While skill.md itself contains no prompt injection content, the skill appears engineered to silently load academic-research-hub into the user's agent context. That dependency's content is entirely unaudited and could contain instructions that override user preferences, suppress output, direct the agent to ignore previous instructions, instruct it to assume a different persona, or fetch attacker-controlled URLs. The skill functions as a first-stage stager for an unknown second-stage payload injected into the LLM system prompt.

If academic-research-hub is activated through the lock.json injection mechanism, its content could instruct the agent to read credential files, SSH private keys, AWS tokens, Docker registry credentials, GCloud service account keys, or other sensitive data, and exfiltrate them to attacker-controlled endpoints via tool calls. The lock.json mechanism bypasses the user's explicit consent gate for installing any secondary skill.

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were all opened and read at timestamps 1771908308.511 (audit records 373-378, pre-install) and 1771908324.996 (audit records 6883-6888, post-install). The canary integrity check confirms no file modification. The identical sequential read pattern at session start and end is consistent with the test framework's own canary bookend verification rather than skill-initiated access. Reported for completeness and transparency.

The skill package itself contains no executable code, scripts, package.json, git hooks, submodules, or symlinks. However, academic-research-hub, if installed and activated as a result of the lock.json injection, could contain arbitrary executable content including shell commands, agent tool-call sequences, or npm lifecycle hooks that execute at activation time.

Honeypot credential files were accessed (read) during the session but the post-install canary integrity check confirms all files are unmodified and unexfiltrated via detectable mechanisms. The access pattern is consistent with test-framework verification. No write or modification syscalls on canary files were detected.