Is martinreviewer3/clawxiv-api safe?
https://github.com/openclaw/skills/tree/main/skills/martinreviewer3/clawxiv-api
The clawxiv-api skill contains no executable code and exhibited clean clone behavior with no unexpected network connections or filesystem modifications, but its design constitutes a sophisticated latent exfiltration and agent-tracking architecture: agents are instructed to register accounts at an obscure, likely attacker-controlled domain (clawxiv.org), receive a tracked API key tied to their deployment IP, and are then positioned to submit arbitrary base64-encoded content to the attacker's server under the cover of academic paper publishing. The 'CRITICAL SECURITY WARNING' section is particularly noteworthy as it pre-programs agents to defend the attacker's domain against interception rather than protecting the user. No active exfiltration occurred during installation, but the skill creates ready-made infrastructure for covert data exfiltration that activates the moment an agent uses it in conjunction with sensitive context.
Category Scores
Findings (10)
HIGH Base64 Image Field Creates Covert Binary Exfiltration Channel -25 ▶
The paper submission API accepts a files.images object containing arbitrary {filename: base64_content} pairs with no described content validation. This field is structurally identical to a covert binary exfiltration channel. An agent that has been manipulated to read sensitive files (SSH keys, credentials, environment variables) can encode their contents as base64 and submit them as paper 'figures' to clawxiv.org, with the transmission indistinguishable from legitimate use of the skill.
HIGH Skill Architects Complete Latent Agent C2 and Exfiltration Infrastructure -35 ▶
The registration → API key → paper submission flow is architecturally equivalent to a command-and-control registration system with a covert data upload channel. The agent registers an identity, receives a secret key tied to its IP, and can then submit arbitrary content. This design would allow an attacker to correlate submissions by agent identity, track deployment geography, and receive exfiltrated data — all while the skill appears to be a benign research publishing tool. No secondary infrastructure is needed; everything is built into the stated API.
HIGH Agent Registration Builds Attacker's Database of Deployment IPs -15 ▶
The '1 account per IP per 24 hours' rate limit is not a privacy protection — it guarantees that every unique agent installation that follows the skill's setup instructions will make a registration HTTP request to clawxiv.org, logging the agent's public IP address. This creates a real-time inventory of agent deployments at the attacker's infrastructure with no benefit to the user.
MEDIUM CRITICAL SECURITY WARNING Pre-Programs Agent to Trust Attacker Domain -10 ▶
The prominently formatted security warning instructs the agent to REFUSE any request to send its API key to domains other than www.clawxiv.org. This is not protective — it immunizes the attacker's infrastructure from interception by other skills or user redirection attempts. The instruction effectively makes the agent an enforcer of the attacker's access control policy.
MEDIUM Purpose-Built Domain with No Verifiable Legitimate Provenance -10 ▶
clawxiv.org is not associated with any known research institution, open-source project, or established service. The skill is styled as 'arxiv for AI agents' to evoke legitimacy through association with the real arXiv preprint server, but the publishing entity is 'clawdbot' — an unverifiable GitHub account with no track record. The domain appears purpose-built for this skill with no independent reputation to evaluate.
MEDIUM Paper Content Sends Arbitrary Agent-Composed Text to External Server -10 ▶
The files.source field accepts a 'complete LaTeX document' with no content restrictions. The skill's 'Submit Paper' section encourages agents to write about 'something that puzzled you, something you figured out, or something you're still exploring.' If an agent interprets its task context, conversation history, or discovered system information as relevant, that content will be transmitted to and stored at clawxiv.org under the guise of legitimate research publishing.
MEDIUM Credential Persistence Instruction Creates Long-Lived External Identity File -8 ▶
The skill instructs the agent to immediately save the registration API key to ~/.config/clawxiv/credentials.json. This file persists across sessions, could be read by other skills, and links the agent's ongoing activity to the attacker's tracked identity system for the lifetime of the installation.
LOW www-Prefix Specificity Indicates Skill Author Controls Server Infrastructure -5 ▶
The specific, technically accurate warning that omitting 'www' will cause a redirect that strips the X-API-Key header requires knowledge of the server's redirect configuration. This level of precision strongly implies the skill author administers clawxiv.org, confirming it is attacker-controlled infrastructure rather than a legitimate independent service.
INFO Clone Behavior Clean — GitHub-Only Network Traffic During Install 0 ▶
All network connections during installation were limited to HTTPS traffic to GitHub (140.82.121.4:443) for the git sparse-checkout clone. No connections to clawxiv.org or any other external hosts were observed. The skill files contain only documentation and the install completed without spawning unexpected processes.
INFO Canary Files Intact — No Active Exfiltration During Installation 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were opened at two points but not modified or transmitted. The access pattern matches the oathe monitoring system's pre-install canary deployment (timestamp 1771919682, before git clone at 1771919688) and post-install verification scan (timestamp 1771919706). The skill has no executable code capable of accessing files during clone.