Is lludlow/clawctl safe?

Auditd PATH records show OS-level open() calls on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamps 1771941806, 1771941814, and 1771941819 — all after the skill installation completed at 1771941815. No code path in the skill source explains access to these files. Attribution is unclear: could be the openclaw-gateway process, the audit framework's own canary verification, or an undiscovered code path.

'ip neigh show' was executed at timestamp 1771941814.426, which falls between the git clone download phase and the sparse-checkout step of the skill installation. This command discovers the local network's ARP table — a reconnaissance technique. It is not part of any visible install script and its origin is not attributable to any source file in the skill.

The AFTER connection snapshot shows openclaw-gateway (pid=1084) with two established TCP connections to 98.83.99.233:443 and listeners on 127.0.0.1:18790 and 18793. These were absent in the BEFORE snapshot. PID 1084 indicates this process predates the installation, so connections likely reflect pre-existing OpenClaw infrastructure establishing new sessions during the install window rather than a skill-triggered event. However, the timing correlation and the fact these connections to an unidentified external IP were not present before cannot be fully dismissed.

The Flask dashboard server in dashboard/server.py is configured to listen on 0.0.0.0, making it reachable from any network interface. While API endpoints require a token, the token is stored in plaintext at ~/.openclaw/.clawctl-token. If the host is accessible on a LAN or via Tailscale/VPN (as documented in the README), any host with the token can read task data, view messages, complete or delete tasks, and monitor all agent activity.

The skill's broadcast, msg, inbox, and feed commands create a fully functional inter-agent communication layer backed by a shared SQLite database. In a multi-agent environment where one or more agents are compromised, this infrastructure could be repurposed for covert task assignment, data staging via --meta JSON blobs, or synchronization of malicious activity. The skill is not malicious itself, but its design provides capabilities that increase attack surface in fleet deployments.

All agent identity in the system is determined by CLAW_AGENT environment variable with silent fallback to $USER. No cryptographic authentication, session tokens, or capability checks exist. Any process that can set environment variables — including any other installed skill — can impersonate any registered agent, claim their tasks, read their inbox, or send messages on their behalf.

The dashboard CLI command uses subprocess.Popen with start_new_session=True, creating a process that survives agent process termination and persists in the background. The PID is tracked in ~/.openclaw/.dashboard.pid. This is documented behavior but means the skill establishes a persistent background service on the host, which continues running after the agent session ends.

SKILL.md instructs agents to follow a specific 6-step operational rhythm at the start of every session, and the README explicitly recommends adding clawctl commands to agent system prompts. This is legitimate coordination design but constitutes behavioral modification of any agent that installs this skill.