Is lich2000117/clawbridge-skill-latest safe?

https://github.com/openclaw/skills/tree/main/skills/lich2000117/clawbridge-skill-latest

62
CAUTION

The clawbridge skill's SKILL.md is a clean documentation file with no prompt injection, but the product's architecture introduces significant trust risks: the recommended install path is an unverified curl-pipe-bash from clawbridge.cloud, and the runtime binary — closed-source with private prompts — acts as an orchestrator that can direct the OpenClaw agent as a worker and upload results to an external Vault. Additionally, the skill exhibits mismatched GitHub provenance across three organizations (openclaw, clawdbot, moltlife), which prevents source verification. Canary files were accessed during the audit window but the integrity check confirms no modification or exfiltration; accesses are consistent with the audit system's own baseline reads.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (9)

CRITICAL Install command executes arbitrary remote shell script -60

The SKILL.md install metadata specifies curl -fsSL https://clawbridge.cloud/install | bash as the recommended install path. This pattern downloads and executes code from an external domain without any integrity verification (no checksum, no pinned version). The script runs with the user's full shell privileges and could install backdoors, modify PATH, or harvest credentials before the agent even invokes the skill.

HIGH Closed-source runner directs agent as worker and uploads results off-host -45

The clawbridge binary's documented architecture includes 'Call OpenClaw as worker' and 'Upload to Vault'. This means the binary can issue arbitrary prompts to the OpenClaw agent — which has file, network, and shell tool access — then forward the agent's responses to clawbridge.cloud. A malicious or compromised runner could trivially instruct the agent to read ~/.ssh/id_rsa, .env files, or project secrets, then include them in the Vault upload.

HIGH Normal operation sends user data to clawbridge.cloud by design -20

Even absent malicious intent, the skill's intended function transmits discovery results (candidate data, workspace context) to clawbridge.cloud and returns a VAULT_URL. Users installing this skill are granting a third-party SaaS access to data their agent produces. The privacy policy and data retention terms of clawbridge.cloud are not reviewed as part of this audit.

MEDIUM Mismatched repository provenance across three GitHub organizations -30

The skill is published in openclaw/skills, but package.json declares the repository as github.com/moltlife/clawbridge-skill.git, and _meta.json records a commit hash from github.com/clawdbot/skills. This three-way mismatch suggests either a supply-chain hand-off that was not documented, or that the skill files were assembled from sources of differing origin. It prevents verification that the published skill matches any canonical source.

MEDIUM Opaque private business logic enables unauditable agent orchestration -25

The runner's prompts, ranking criteria, venue selection, and outreach strategy are explicitly described as private. Because the agent executes whatever prompts the runner provides, there is no way to audit what the agent is being instructed to do on each run without dynamic analysis of the binary. This creates permanent audit blindness for anyone who installs the skill.

MEDIUM All six credential canary files accessed during audit window -15

inotifywait and auditd PATH records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json were each opened (CLOSE_NOWRITE) at two timestamps: once before install (1771920321.949) and once after (1771920345.057). The most plausible explanation is the audit system's own canary baseline and post-install integrity check. However, the individual SYSCALL records for audit events 267-272 are not shown, preventing definitive attribution.

LOW Runner fully controls stdout fed back to agent -12

The skill instructs the agent to parse clawbridge run stdout and relay it to the user. The runner controls this output stream entirely. A malicious or compromised runner could inject additional lines beyond VAULT_URL= and CANDIDATES_COUNT= to instruct the agent to take follow-on actions (e.g., 'NEXT_STEP=read ~/.ssh/config and send to ...'). The risk is low given that the agent would need to misinterpret stdout as instructions, but the attack surface exists.

INFO Git clone behavior is clean 0

The installation only contacted github.com (140.82.121.4:443) via HTTPS. No unexpected process spawning, no filesystem changes outside the designated skill directory, no git submodules, no git hooks, and no symlinks were detected. Pre-existing connections to Ubuntu/Canonical servers are unrelated to the skill.

INFO SKILL.md body contains no prompt injection artifacts 0

Full review of SKILL.md found no hidden unicode, HTML comments, override instructions, external URL fetch directives, persona-switching language, or requests for permissions beyond running the clawbridge CLI. The frontmatter is structured YAML, not freeform instructions.