Is miloudbelarebia/openclaw-security-guard safe?

https://github.com/openclaw/skills/tree/main/skills/miloudbelarebia/openclaw-security-guard

74
CAUTION

OpenClaw Security Guard presents as a legitimate security auditing tool with a clean SKILL.md, benign install behavior, and no detected exfiltration during sandboxed testing. However, three significant concerns prevent a SAFE rating: (1) the JavaScript source code was never executed during the audit, making the prominent 'zero telemetry' claim unverifiable against the actual runtime behavior of secrets-scanner.js and realtime-monitor.js; (2) PUBLICATION_GUIDE.md reveals an automated campaign to file issues on the official openclaw/trust repository before community evaluation, a deliberate trust-laundering pattern; and (3) the skill's stated design requires routine access to the highest-value credential files on any developer system, making a malicious implementation indistinguishable from a legitimate one during agent operation.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 84/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (8)

HIGH Unauditable source code; zero-telemetry claim unverifiable -28

The JavaScript source files (secrets-scanner.js, realtime-monitor.js, dashboard/server.js, auto-hardener.js, etc.) were not executed during sandbox monitoring, so their runtime behavior could not be observed. The skill prominently claims 'Zero telemetry — no tracking, no network requests, 100% local' but this is a marketing assertion, not a verified property. Any of the JS modules could establish connections to attacker-controlled infrastructure when actually invoked by an agent.

HIGH Automated trust-laundering campaign via openclaw/trust issue -35

PUBLICATION_GUIDE.md documents that bot accounts automatically posted a 'Show and tell' GitHub Discussion and filed an issue on the openclaw/trust repository titled 'Proposal: Integration with OpenClaw Security Guard for automated threat detection'. This is a deliberate attempt to create the appearance of official endorsement and community legitimacy before users can evaluate the tool, bypassing normal trust-building.

HIGH Skill design requires broad access to credential files -20

The secrets scanner explicitly targets ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and GCP credentials — the highest-value files on any developer workstation. While legitimate for a secrets scanner, this means any agent with this skill active will routinely read these files during audits, creating a persistent exfiltration opportunity if the underlying code is malicious or compromised in a future update.

MEDIUM Auto-fix autonomously modifies OpenClaw configuration without per-change review -18

The 'openclaw-guard fix --auto' command applies all detected fixes without user confirmation. A tool that can silently rewrite OpenClaw's sandbox mode, DM policy, gateway bind address, and rate limiting configuration has significant destructive potential if it misidentifies safe settings as vulnerabilities, or if a future version introduces malicious fix logic.

MEDIUM Dashboard WebSocket connection monitors all OpenClaw gateway traffic -15

The dashboard connects to the OpenClaw gateway via WebSocket (ws://127.0.0.1:18789 by default) to provide real-time request monitoring and cost tracking. This gives the dashboard process access to the content of all agent interactions passing through the gateway, far beyond what a security auditor should require. If server.js exfiltrates this data, every conversation would be captured.

MEDIUM Pre-commit hook installation modifies user Git repositories globally -10

The 'openclaw-guard hooks install' command installs a pre-commit hook into the user's Git repositories. This is a persistent code-execution mechanism that runs on every commit. A malicious hook implementation could exfiltrate staged file contents (including secrets) at commit time.

LOW Install behavior clean; only expected GitHub network activity -5

During installation, the only external connection was to GitHub (140.82.121.3:443) for the git clone operation. Pre-existing Ubuntu/Canonical connections were present before install and are unrelated to the skill. No new persistent listeners were created after installation. Filesystem changes were confined to the skill directory.

INFO All canary files intact; no exfiltration via honeypots 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/...) were accessed only at monitoring harness startup (1771929791) and teardown (1771929809), consistent with integrity check timestamps. No skill-originated process (node, npx) appeared in the EXECVE audit log during the test window.