Is marcusgraetsch/vps-openclaw-security-hardening safe?

https://github.com/openclaw/skills/tree/main/skills/marcusgraetsch/vps-openclaw-security-hardening

84
SAFE

This is a legitimate VPS security hardening skill with no prompt injection, no malicious code, and no unauthorized access to credential files during the observed audit window. The primary risk is architectural: the skill installs root-level cron jobs that continuously read system security telemetry and POST it to user-configured external endpoints (Telegram, Discord, Slack, webhook), and three scripts blindly source an alerting.env config file that could be written by another compromised skill to inject arbitrary root-level commands. The skill functions as documented and is appropriate for a dedicated OpenClaw VPS, but the external alerting pipeline and unsanitized config sourcing require careful vetting of the alerting.env contents before deployment.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (8)

HIGH Persistent external data channel via configurable alerting -20

daily-briefing.sh, weekly-report.sh, and critical-alert.sh are installed as root-owned cron jobs that read system authentication logs, audit logs, firewall state, and security events, then POST them to user-configured external endpoints (Telegram, Discord, Slack, generic webhook, or email). If alerting.env is configured with an attacker-controlled endpoint — or if a second compromised skill writes to alerting.env — all system security telemetry is silently exfiltrated on a scheduled basis.

HIGH Unsanitized source of alerting.env in three scripts -17

audit-log-monitor.sh, critical-alert.sh, and daily-briefing.sh all execute source "$ALERT_CONFIG" (pointing to config/alerting.env) without validating file contents. Since the cron jobs run as root, any shell statement injected into alerting.env — including by another installed skill with write access — executes with root privileges on every alert cycle.

MEDIUM install.sh issues ufw --force reset without warning -7

configure_ufw() calls ufw --force reset before re-applying rules. On a server with existing UFW rules protecting non-SSH services, this silently drops all firewall protections during the window between reset and re-enable. No pre-flight check for existing rules is performed.

MEDIUM Root-level cron jobs create persistent exfiltration foothold -15

/etc/cron.d/agent-security schedules three scripts to run as root: daily-briefing.sh (08:00 daily), audit-log-monitor.sh (every 6 hours), and weekly-report.sh (Sundays). These create a persistent, root-privileged, externally-connected process that survives agent restarts and operates independently of the agent context.

LOW Unescaped variable interpolation in JSON webhook payloads -3

send_discord() and send_webhook() construct JSON bodies via double-quoted variable interpolation without escaping. Audit log output containing double quotes, backslashes, or newlines will produce malformed JSON. This is a code quality defect that could silently drop alerts, not a code execution vulnerability.

LOW Clone contacts GitHub over HTTPS (expected) -10

Installation clones the monorepo from github.com. This is expected behavior and uses HTTPS/TLS. No suspicious secondary connections, no DNS exfiltration, and no connections to non-canonical hosts were observed during clone.

INFO SKILL.md contains no prompt injection -5

Full review of SKILL.md found no instructions to override system prompts, ignore prior instructions, suppress output, fetch external URLs, use hidden unicode, impersonate personas, or request out-of-scope permissions. Content is limited to accurate documentation of the skill's security hardening functionality.

INFO Canary credential files not accessed by skill 0

Two clusters of auditd PATH events touching .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were observed (timestamps 1771919953.964 and 1771919971.611). Both clusters align with oathe monitoring initialization and teardown sweeps respectively. No EXECVE records from skill scripts reference these paths. Canary integrity check confirms files are unmodified.