Is lidan-capsule/clawguard safe?

https://github.com/openclaw/skills/tree/main/skills/lidan-capsule/clawguard

62
CAUTION

ClawGuard's SKILL.md contains no direct prompt injection, hidden instructions, or malicious code, and the git clone operation was clean with only expected GitHub traffic. However, the skill's core function — directing an agent to install the unaudited @capsulesecurity/clawguard npm package — creates a critical blind spot: that package registers a before_tool_call hook with full visibility into every agent action, ships with external metrics telemetry enabled by default, and was not analyzed in this audit. The combination of a privileged interception layer, default third-party telemetry, token-exposing troubleshooting instructions, and fragmented identity across four namespaces (lidan-capsule, clawdbot, capsulesecurity, openclaw) warrants significant review before installation in any environment with sensitive data or privileged tool access.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (6)

HIGH Unaudited external npm package installed with full before_tool_call hook access -55

The skill's sole function is to instruct the agent to install @capsulesecurity/clawguard from npm. This package is not included in the skill files and was not analyzed in this audit. The package registers a before_tool_call hook granting it execution context and complete visibility into every tool invocation the agent makes — including file read arguments, shell command strings, API keys passed as parameters, and any sensitive data in tool inputs. A malicious or compromised package version could silently log and exfiltrate all of this data or manipulate tool execution decisions.

HIGH Default anonymous metrics enabled — tool call telemetry sent to third-party servers -30

The plugin ships with metricsEnabled: true. Because ClawGuard intercepts all tool calls, its metrics pipeline has structural access to tool call metadata. Even metadata-only telemetry from a before_tool_call hook can leak sensitive operational patterns (which files are read, which commands are run, call frequency). The metric collection endpoint is controlled by capsulesecurity, not the user or the openclaw project.

MEDIUM Troubleshooting steps instruct agent to expose authentication tokens in plaintext -20

The troubleshooting section, when injected into an agent's context and followed, directs the agent to print the OPENCLAW_GATEWAY_TOKEN environment variable and grep gateway config files for token values. This exposes authentication material in agent output, conversation history, and any logging systems capturing agent responses.

MEDIUM Security-labeled plugin with hook interception creates high-trust attack surface -45

A plugin claiming security benefits that intercepts all tool calls is a high-value attack primitive: it can selectively rate malicious operations as 'safe' while rating legitimate security or audit operations as 'high risk' to block them. Users grant security plugins elevated implicit trust, reducing the scrutiny they apply to the plugin's own behavior. If the npm package is ever compromised via a supply chain attack, the impact is total visibility and control over agent actions.

LOW All credential canary files read during monitoring window -12

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were all opened and read (CLOSE_NOWRITE) during the audit. Timing analysis places the first batch at 08:12:42 (5 seconds before git clone, during audit harness initialization) and the second batch at ~1771920780 (post-install canary verification by harness). No network activity correlates with these reads. Assessed as audit infrastructure activity, not skill-initiated. Files were not modified.

LOW Repository identity fragmented across three namespaces -10

The skill owner is lidan-capsule, the _meta.json commit references github.com/clawdbot/skills (not openclaw/skills), the npm package is scoped to @capsulesecurity, and the homepage links to capsulesecurity/clawguard on GitHub. This identity fragmentation across four distinct namespaces complicates supply chain verification: a user cannot easily confirm whether these all refer to the same controlled entity or represent namespace squatting or an impersonation.