Is magnum-opus-v1/wooclaw-lite safe?

https://github.com/openclaw/skills/tree/main/skills/magnum-opus-v1/wooclaw-lite

87
SAFE

The wooclaw-lite skill is a well-structured WooCommerce API connector with no malicious prompt-injection instructions, no npm lifecycle attack surface, no canary file tampering, and a clean install-time network profile limited to GitHub. The meaningful residual risks are an SSRF vector from the unconstrained OPENCLAW_STORE_URL environment variable and the potential for secondary prompt injection through unsanitized WooCommerce API response data flowing into agent context; both are inherent to any credential-driven external-API integration rather than indicators of malicious intent. Operators should ensure OPENCLAW_STORE_URL is restricted to a trusted domain and that the WooCommerce plugin endpoint is not attacker-accessible.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM Secondary prompt injection via unsanitized WooCommerce API responses -10

All three tools (check_order, find_product, store_status) interpolate raw server-returned strings — item names, product descriptions, status messages — directly into the output string returned to the agent without escaping or sandboxing. If the operator or an attacker controls the configured store URL, adversarial instructions can be embedded in product/order data and surfaced as trusted agent context, potentially redirecting the agent's behavior mid-session.

LOW SSRF via unconstrained OPENCLAW_STORE_URL -20

The skill constructs HTTP request URLs by direct string interpolation of the OPENCLAW_STORE_URL environment variable without validating scheme, hostname, or port. A misconfigured or attacker-supplied value such as http://169.254.169.254/ or http://internal-db:5432/ would cause the skill to issue requests to internal network resources, potentially leaking cloud metadata or probing internal services.

LOW store_status issues unauthenticated GET request -15

Unlike check_order and find_product which compute an HMAC-SHA256 signature over the request body, the store_status tool calls axios.get(url) with no authentication header. This is an internal security inconsistency: the status endpoint can be polled by any caller without the store secret, and if pointed at an arbitrary URL via OPENCLAW_STORE_URL, will issue GET requests without any credential binding.

LOW Shipped lock.json references unrelated previously-installed skill -7

The .clawhub/lock.json bundled inside the skill directory contains an entry for 'academic-research-hub' (v0.1.0) with an installedAt timestamp. This file should represent the skill's own dependency state, not a foreign skill. Shipping a lock file from a developer's system exposes information about the author's installed skill environment and could confuse installers about what skills are present.

INFO Sensitive-file PATH records attributed to audit harness, not the skill 0

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud credentials. Temporal analysis rules out the skill as the cause: the first access batch (events 422-430, timestamp 1771925410.637) precedes the git clone command (event 5082, timestamp 1771925416.173) by nearly 6 seconds and predates the skill's existence on disk. The second batch (events 6855-6860, timestamp 1771925427.439) aligns with the audit harness post-install canary verification. Canary integrity report independently confirms all files unmodified.