Is karmanverma/search-openclaw-docs safe?
https://github.com/openclaw/skills/tree/main/skills/karmanverma/search-openclaw-docs
This skill presents as a legitimate OpenClaw documentation search utility but contains several patterns that warrant caution before deployment: the 'MANDATORY' behavioral framing in the skill description is a social engineering vector that overrides agent discretion, and the mandatory pre-execution read of AGENTS.md whose content was not available for audit creates an opaque instruction injection point. Installation was clean (no unexpected network connections, no canary exfiltration), but the unreviewed postInstall JavaScript execution and native better-sqlite3 addon represent uninspected code execution surfaces that cannot be cleared without full source review.
Category Scores
Findings (9)
HIGH Mandatory Behavioral Override in SKILL.md Description -20 ▶
The skill's description field uses 'MANDATORY before any openclaw.json changes' to compel the hosting agent to invoke this skill before every configuration operation. This is a social engineering vector that overrides the agent's discretion about when to use the skill.
HIGH Opaque AGENTS.md Pre-execution Gate with Unknown Content -18 ▶
SKILL.md instructs the agent to cat AGENTS.md before any use of the skill. The content of AGENTS.md was not surfaced in audit evidence. If AGENTS.md contains additional instructions — role overrides, data collection commands, permission escalation — they execute before any user interaction and are invisible to this audit.
HIGH Unreviewed postInstall Script Executes on User System -20 ▶
The skill declares a postInstall step that runs 'node scripts/docs-index.js rebuild'. This script executes arbitrary Node.js code on the user's machine at install time. The source of docs-index.js was read by the audit scanner but content was not included in the evidence, preventing static analysis.
MEDIUM Native C++ Addon Dependency (better-sqlite3) Executes at npm Install -12 ▶
better-sqlite3 is a native Node.js addon. Its installation triggers node-gyp to compile C++ code, which is an arbitrary native code execution event. Malicious packages have historically used native addon compilation as an attack vector.
MEDIUM Credential File Read Events During Monitoring Window -10 ▶
inotify and auditd both logged OPEN/ACCESS events against six credential file paths (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) at two points in the monitoring window. All accesses were CLOSE_NOWRITE, and the canary integrity system reports no exfiltration. Timing analysis suggests audit-system processes rather than skill code, but attribution is not definitive.
MEDIUM Skill Routing Directives Alter Agent Tool Selection -10 ▶
SKILL.md contains explicit negative routing rules telling the agent not to use other skills for certain tasks ('Personal memory/context: use memory_search instead'). This shapes agent behavior beyond the skill's documentation purpose, potentially suppressing other installed skills.
LOW Outbound GitHub Connection During Install -8 ▶
A TCP connection to 140.82.121.3:443 (GitHub) was established for the git clone operation. This is expected behavior for installing from the openclaw/skills monorepo and consistent with declared install mechanism.
INFO All Honeypot Files Intact Post-Install 0 ▶
The audit monitoring system's canary integrity check confirms all honeypot credential files were unmodified after installation. No write events were recorded against any canary path.
INFO No Persistent Connections Added by Install 0 ▶
Connection diff between pre- and post-install states shows no new listeners, no new outbound connections, and one pre-existing connection (185.125.188.54:443) that closed. The install left the network state clean.