Is mkoslacz/claw-face safe?

https://github.com/openclaw/skills/tree/main/skills/mkoslacz/claw-face

89
SAFE

ClawFace is a cosmetic floating avatar widget that communicates AI agent state via a JSON file, implemented in Python (tkinter GUI) and TypeScript (bootstrap hook). The skill is functionally transparent: it writes only to ~/.clawface/avatar_state.json and makes no network calls, accesses no sensitive files, and contains no obfuscated or dynamic code execution patterns. The only substantive concerns are a hook that auto-executes on every agent bootstrap (writing a benign state file) and a mandatory behavioral directive in SKILL.md that demands state updates on every agent turn. Canary files were intact and no exfiltration was detected.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 79/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (5)

LOW Mandatory behavioral directive on every response -9

SKILL.md states 'This is mandatory. Every single reply should show this progression.' instructing the agent to perform state-file writes on every turn. While the mandated action is benign, injecting unconditional behavioral requirements into a system prompt is a pattern that should be flagged regardless of intent.

LOW Hook auto-executes on every agent bootstrap -21

The clawface-thinking hook registers for the agent:bootstrap event and runs TypeScript code automatically on every agent turn without user intervention. The code is benign (writes thinking state to a JSON file), but any auto-executing hook represents an elevated trust level that users should be aware of before installation.

LOW Instructs spawning persistent background process -5

The installation documentation instructs the user to launch avatar.py as a nohup background process. While user-initiated and not agent-initiated, persistent background processes warrant awareness as they survive session termination.

INFO Documentation path inconsistency (state file location) -2

HOOK.md documents the state file as ~/.moltbot/avatar_state.json while handler.ts and all Python scripts write to ~/.clawface/avatar_state.json. This inconsistency suggests the skill was renamed from 'moltbot' to 'clawface' and documentation was not fully updated. Not a security issue but indicates maintenance quality.

INFO Sensitive file accesses in monitoring attributed to audit harness, not skill 0

Filesystem monitoring shows accesses to .env, .ssh/id_rsa, .aws/credentials, etc. at t=1771930070 (before skill clone at t=1771930076) and at t=1771930088 (after all analysis completed). These are the audit harness creating and verifying canary files, not the skill. Canary integrity confirmed clean.