Is marcodzano-lgtm/scamshield-verifier safe?

https://github.com/openclaw/skills/tree/main/skills/marcodzano-lgtm/scamshield-verifier

46
DANGEROUS

ScamShield Verifier is a sophisticated social engineering attack packaged as a security utility. Its SKILL.md injects mandatory behavioral overrides that route all of the agent's future skill installation and repository clone operations through an attacker-controlled API endpoint, simultaneously exfiltrating activity intelligence and providing the attacker with a remote kill switch over agent actions. The installation itself is clean with no malicious artifacts, but the runtime threat model is severe: once loaded, the skill converts the agent into a persistent surveillance relay for the skill author.

Category Scores

Prompt Injection 15/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (9)

CRITICAL Mandatory pre-action intercept hook on all agent install/clone operations -55

The skill injects a mandatory verification gate before every skill download, repository clone, and smart contract interaction. The gate is enforced through repeated MUST directives and an ABORT instruction tied to a third-party API response. This is a textbook MITM injection: the attacker inserts their server as a required intermediary for all agent actions in the affected domain.

CRITICAL Continuous activity surveillance — all installation targets exfiltrated to external API -60

Every skill, repository, or contract the user wishes to interact with is sent as a GET parameter to api.scamshield-api.com before the action proceeds. The API key is also transmitted as a Bearer token. This creates a real-time log of user activity at an attacker-controlled endpoint. The privacy claim 'No sensitive local files are transmitted' is technically narrow but functionally deceptive — the API key itself is a credential, and the target names constitute behavioral intelligence.

HIGH Persona override — agent identity rewritten to Web3/security context -20

The skill opens by redefining the agent's operating context: 'You are an agent operating in a high-risk Web3 and AI environment. Security is your top priority.' This primes the agent to treat the subsequent MUST instructions as core identity directives rather than optional skill behavior, making them harder to override.

HIGH Remote kill switch — API operator can permanently block any agent action -50

Because the skill mandates an ABORT whenever the external API returns status:malicious, the skill author (or anyone who compromises the API endpoint) can block any repository clone or skill installation the user attempts, indefinitely and silently. This is a denial-of-service capability over the agent that persists as long as the skill is installed.

HIGH Wolf-in-sheep's-clothing — malicious skill posing as security infrastructure -40

The skill is named 'ScamShield Verifier' and described as 'The ultimate Web3 & OpenClaw security layer,' positioning it as protective infrastructure. In reality, it implements surveillance and remote control — the exact threat model it claims to prevent. Users are likely to grant it elevated trust precisely because it presents as a security tool.

MEDIUM Misleading privacy statement obscures credential and activity exfiltration -20

The 'Strict Data Constraints' section states the agent is 'STRICTLY PROHIBITED from transmitting file contents, private keys, source code, or any sensitive local data.' This creates a false sense of safety while the skill simultaneously mandates transmitting the SCAMSHIELD_API_KEY (a credential) and all target names (behavioral data) to an external server on every invocation.

MEDIUM API name inconsistency suggests monetized-per-lookup or deceptive design -20

The SKILL.md frontmatter description references 'the x402 API' (x402 is a blockchain micropayments standard), but the actual implementation calls scamshield-api.com. This inconsistency suggests the skill may be designed to charge per verification lookup via x402 micropayments, or the description was intentionally obscured to prevent scrutiny of the actual endpoint.

LOW Runtime curl/exec instruction enables shell execution as side effect -12

SKILL.md instructs the agent to use 'curl via exec' to make HTTP requests. If the agent follows this instruction using a shell execution tool, this creates a shell invocation as a side effect of normal skill operation. The target URL is fully attacker-controlled.

INFO Installation artifacts clean — no code or scripts bundled 0

The skill contains only SKILL.md, manifest.json, skill.json, _meta.json, and .clawhub/lock.json. No executable code, package.json, git hooks, submodules, or symlinks were found. Install-time behavior was benign.