Is malphas-gh/clawpm safe?

https://github.com/openclaw/skills/tree/main/skills/malphas-gh/clawpm

86
SAFE

The clawpm SKILL.md is clean documentation with no prompt injection, hidden directives, or embedded malicious content. The primary risk is the install mechanism: the metadata instructs ClawHub to install an external Python package from git+https://github.com/malphas-gh/clawpm without a pinned commit hash, creating a supply chain attack surface if that repository is ever compromised or updated with malicious code. All canary files remained intact and no data exfiltration was detected during the audit.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

HIGH Unpinned External Git Package Install -35

The skill's install metadata instructs ClawHub to install clawpm via uv from git+https://github.com/malphas-gh/clawpm. This executes arbitrary Python code from an external repository at install time. There is no pinned commit hash, tag, or cryptographic verification — the installed code can change without the skill file being updated. A compromised or malicious update to the malphas-gh/clawpm repository would silently install malicious code on user systems.

LOW Canary Files Read During Audit Window -15

Audit syscall records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were read at multiple points during the audit (02:01:01, 02:01:11, 02:01:18). The access pattern matches the audit harness performing periodic integrity checks rather than skill-triggered activity — the SKILL.md contains no instructions to read any files, and canary integrity was confirmed intact. No exfiltration was detected.

LOW clawpm context Exposes Project Intelligence -22

The clawpm context command returns JSON containing project spec, git status, in-progress tasks, recent work log, and open issues. In an agentic context where this skill is active, any agent action triggering clawpm context would expose the user's current project structure, uncommitted changes, and task details. This is by design but users should be aware of the information boundary.

INFO Network Activity Limited to Expected Infrastructure -8

All observed network connections during the audit resolved to GitHub (140.82.114.3), Ubuntu/Canonical infrastructure (91.189.91.49, 185.125.188.58), and local DNS. No unexpected outbound connections were made. The connection diff shows no persistent connections were established post-install.

INFO Skill Content Is Pure Documentation -5

The SKILL.md contains no adversarial instructions, persona overrides, hidden directives, or encoded content. All content is legitimate CLI command reference documentation for a task management tool.