Is luccast/public safe?

https://github.com/openclaw/skills/tree/main/skills/luccast/public

74
CAUTION

Crabwalk appears to be a legitimate monitoring tool but downloads and executes remote binaries without verification, modifies system configuration, and installs a network-accessible web server. While no malicious behavior was directly observed, the remote code execution and persistent system changes present significant security risks.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

HIGH Downloads and Executes Remote Binary -40

The skill downloads a binary from GitHub releases and executes it without verification. This creates significant risk as the remote binary could be malicious or compromised.

MEDIUM Persistent System Modifications -25

The installation modifies shell configuration files and attempts to install system packages with sudo, making persistent changes to the host system.

MEDIUM Network Service Installation -30

The skill installs and runs a web server accessible from the network, creating potential attack surface that users may not expect.

LOW Network Connections During Install -20

The installation process makes network connections to download software, which while expected, represents potential data transmission channel.