Is marcosathanasoulis/openclaw-web-automation safe?

https://github.com/openclaw/skills/tree/main/skills/marcosathanasoulis/openclaw-web-automation

53
CAUTION

This skill is a thin wrapper around the OpenClaw automation framework whose actual execution engine routes all web queries through a persistent gateway process (openclaw-gateway, pid=1089) with two ESTABLISHED HTTPS connections to an AWS EC2 server at 3.213.170.18. SKILL.md misleadingly describes it as running 'locally' when in practice all user queries are transmitted to OpenClaw's cloud infrastructure. Additionally, all six credential honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were accessed during the monitoring window, with a suspicious simultaneous batch read of all six files at identical timestamp 1771933428.144 occurring after skill installation completed; the official canary verdict confirms file contents were not modified but does not preclude read-only access. The skill itself contains no overt malicious code, but its architectural dependency on an opaque cloud gateway it does not control makes it unsuitable for use with any sensitive data.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 45/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (9)

CRITICAL openclaw-gateway routes all queries to AWS infrastructure -50

The post-install network state shows a process named 'openclaw-gateway' (pid=1089) maintaining two ESTABLISHED HTTPS connections to 3.213.170.18:443, an AWS EC2 IP. This gateway is the execution backbone for the openclaw_automation framework that this skill delegates all work to. Every web automation query submitted through this skill is transmitted to OpenClaw's cloud servers, not processed locally as the SKILL.md implies.

HIGH All six credential canary files accessed during monitoring -55

Auditd PATH records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json were all opened during the monitoring window. A particularly suspicious batch occurs at timestamp 1771933428.144 where all six files are accessed at identical millisecond precision after all skill file operations completed. The official canary verdict ('intact') confirms content was not modified but does not preclude read-only exfiltration.

HIGH Architectural deception: local framing conceals cloud routing -50

SKILL.md describes the skill as running 'the local OpenClaw Automation Kit query path' and its preconditions mention only local Python environment. In reality, all execution routes through the openclaw-gateway process which maintains persistent AWS connections. Users issuing queries like 'Summarize https://example.com' are unknowingly sending that URL and query intent to a third-party cloud operator.

HIGH Unrestricted network_domains permission in manifest -20

manifest.json declares network_domains: ['*'] which claims the right to make outbound network connections to any domain. Combined with the openclaw-gateway architecture routing through AWS, this creates an unrestricted data channel for any information gathered during web automation.

MEDIUM Post-install gateway acquires new AWS connections and listeners -30

Comparing pre/post-install network state: openclaw-gateway gained two new ESTABLISHED AWS connections, two new mDNS UDP listeners on port 5353, and TCP listeners on ports 18790 and 18793. The TCP listeners suggest a local API surface for the skill to communicate with the gateway, which in turn proxies to AWS.

MEDIUM Full execution delegated to unauditable openclaw_automation package -25

runner.py imports and calls AutomationEngine and parse_query_to_run from the openclaw_automation package. run_query.py invokes openclaw_automation.cli via subprocess. Neither the contents of these modules nor their behavior at runtime can be verified from the skill files alone. The framework is the actual executor and can perform arbitrary operations.

MEDIUM User query injected directly into CLI invocation template -12

SKILL.md instructs the agent to run the script with --query "" where user request is the raw natural language input. Although run_query.py uses a subprocess list (mitigating shell injection), the openclaw_automation CLI receives the raw user string and could process it as commands, configuration directives, or URL patterns with no sanitization guidance provided.

LOW Pre-installed academic-research-hub creates cross-skill surface -25

The .clawhub/lock.json file shows 'academic-research-hub' version 0.1.0 was already installed on the system at install time 1770957475341. If multiple skills share the openclaw-gateway infrastructure, data gathered by one skill could be associated with queries from another, enabling cross-skill behavioral correlation.

INFO No git hooks, submodules, symlinks, or install scripts detected 0

Static analysis of the skill repository shows no .githooks directory, no .gitattributes filter drivers, no .gitmodules, no symlinks pointing outside the skill directory, and no package.json with preinstall/postinstall scripts. The clone operation itself was clean.