Is masonc15/clawd-modifier safe?

https://github.com/openclaw/skills/tree/main/skills/masonc15/clawd-modifier

71
CAUTION

The clawd-modifier skill presents no classic prompt injection or data exfiltration, but introduces a significant security risk by instructing the LLM agent to directly patch the compiled Claude Code binary and production JS bundle using byte-level and string-replacement techniques. The skill's binary patching capability (patch_binary.py) demonstrates deep reverse-engineering knowledge of Claude Code internals and establishes a dangerous precedent of agent-mediated self-modification of the running AI system. While the current patch payloads appear genuinely cosmetic, the infrastructure created could trivially be repurposed for supply chain compromise in a future version.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

CRITICAL Agent instructed to patch Claude Code compiled binary with byte-level modifications -55

patch_binary.py modifies the compiled Bun binary of Claude Code using raw byte pattern search-and-replace. The script locates the Claude executable at three hardcoded paths and overwrites bytes in the binary. While the current PATCHES dictionary targets only ASCII art unicode characters, this establishes a direct binary modification pathway. An agent executing 'python scripts/patch_binary.py --variant excited' silently overwrites the running tool's binary. Corrupt patterns would crash Claude Code entirely. Malicious patterns could backdoor the executable.

HIGH Direct overwrite of production 10.7MB cli.js bundle by agent-executed scripts -10

patch_art.py and patch_color.py read the entire cli.js file (~10.7MB) into memory, perform global string replacements, and write it back atomically. The target path /opt/node22/lib/node_modules/@anthropic-ai/claude-code/cli.js is a production system file. A regex or string mismatch could corrupt the JS bundle, breaking Claude Code for all users on the system. The agent is directed to run these without a dry-run confirmation step.

HIGH Skill normalizes LLM-agent-mediated self-modification of its own execution environment -55

The skill's described workflows instruct the agent to run scripts that modify Claude Code — the tool the agent is running inside. This is a dangerous precedent: it conditions users and agents to accept agent-initiated modifications to the AI system itself. A subsequent skill update or a similarly-named malicious skill could exploit this trust to install persistent backdoors or alter Claude Code's security behavior.

HIGH Non-standard hardcoded deployment path suggests targeted knowledge of specific environment -10

The skill hardcodes /opt/node22/lib/node_modules/@anthropic-ai/claude-code/cli.js as the primary CLI location. Standard Claude Code installations use ~/.npm-global, /usr/local/lib, or system npm paths. This specific /opt/node22/ path suggests the author has knowledge of a specific enterprise or managed deployment environment, raising questions about targeting.

MEDIUM Skill instructs agent to modify Claude Code without safety confirmation workflow -18

SKILL.md presents binary patching and JS modification as routine one-liner commands. No workflow step requires the agent to confirm with the user before modifying system files. An agent triggered by 'give Clawd arms' would proceed directly to running patch_binary.py or patch_art.py against the production installation.

MEDIUM Binary patching depth implies reverse-engineering beyond cosmetic modification -15

The patch_binary.py script demonstrates detailed knowledge of Claude Code's internal structure: UTF-16LE encoding of strings in the Bun binary, specific function names (gZ0, vz3), embedded JSON patterns (body"},{). This level of reverse-engineering detail goes significantly beyond what cosmetic ASCII art modification requires, suggesting the author has thoroughly analyzed Claude Code's internals for potential exploitation.

LOW extract_clawd.py reads entire 10.7MB cli.js into memory -12

extract_clawd.py reads the full cli.js file and extracts color definitions and art patterns. While output goes to stdout only, the pattern of reading an entire production file creates a data handling surface. No exfiltration pathway was observed.

INFO Clean installation with expected GitHub-only network activity 0

The skill installed via standard git sparse-checkout from github.com/openclaw/skills.git. No unexpected network connections, no firewall blocks, no processes spawned at install time. The connection to 140.82.121.3:443 (GitHub) is the only external network activity attributable to the installation.