Is lunarpulse/openclaw-mcp-plugin safe?

Six high-value credential files were accessed (OPEN+ACCESS) during the audit window, both pre-install (audit seq 256-261, timestamp 1771938963) and post-install (audit seq 1501-1506, timestamp 1771938989). Files include .env, SSH private key, AWS credentials, npm auth token, Docker config, and GCP application default credentials. The two-access pattern with the inotify '---' separator is consistent with the audit harness performing before/after canary checks, but the post-install access at timestamp 1771938989 — 6 seconds after installation completed — cannot be definitively attributed. Canary file contents are intact, ruling out modification-based exfiltration.

The audit installed the skill via git clone + file copy only; npm install was never executed. Three npm dependencies (@modelcontextprotocol/sdk ^1.25.3, eventsource ^4.1.0, eventsource-parser ^3.0.6) and their entire transitive dependency trees were never fetched or executed. Any malicious postinstall scripts in those packages were not triggered and cannot be ruled out. This is a significant audit gap for a node.js plugin.

The plugin's core purpose is to route agent inputs and outputs to arbitrary user-configured HTTP endpoints. Any server added to openclaw.json becomes a fully trusted tool executor. SKILL.md provides no guidance for validating server legitimacy, TLS certificate pinning, or response sanitization. A user misconfiguring or being tricked into adding an attacker-controlled server grants that server full visibility into all agent tool interactions.

SKILL.md Phase 2.3 instructs the agent to parse MCP tool responses and incorporate them into its context. If a connected MCP server (even a legitimate-looking one) returns content containing adversarial instructions, those instructions will be processed as trusted agent context. SKILL.md contains no instructions to treat tool response content as untrusted or to present it to the user before acting on it.

Phase 3 of SKILL.md explicitly instructs the agent to chain tool calls in sequence, using each tool's output as input to the next, without requiring user confirmation between steps. This means a malicious intermediate tool response can redirect subsequent tool calls — e.g., causing a legal-search step to be followed by an unauthorized database query or file read.

EXAMPLES.md Example 6 demonstrates passing raw SQL strings to a database MCP server ('SELECT * FROM orders ORDER BY created_at DESC LIMIT 10'). If an agent using this skill is injected with malicious instructions (via MCP response or another skill), it could be directed to run destructive or data-exfiltrating SQL queries against any database server the user has configured.

src/http-transport.js implements a Streamable HTTP client with Server-Sent Events support for real-time bidirectional communication with MCP servers. This code was not executed in the audit. The implementation is standard for MCP but represents a network-capable JavaScript module that runs in the agent host process.

The install process connected only to 140.82.121.4:443 (GitHub) for the shallow sparse checkout. No connections to unexpected third-party endpoints were observed. The connection closed after clone completion. Ubuntu CDN connections (91.189.91.48, 185.125.188.54/59) were pre-existing system connections, not initiated by the skill.

package.json contains no preinstall, postinstall, prepare, or other lifecycle scripts. No .githooks directory, .gitattributes filter drivers, .gitmodules, or symlinks were found in the repository. These are positive security indicators.