Is arbitrum-dapp safe?

https://clawhub.ai/nicobailon/arbitrum-dapp

68
CAUTION

The skill 'arbitrum-dapp' is effectively empty — it failed to install and contains only a lock.json referencing a different skill name ('academic-research-hub'). The primary concern is that the install process accessed sensitive credential files (.env, .aws/credentials, auth-profiles.json) despite the skill failing to resolve. No data was exfiltrated and canary files remained intact, but the file access pattern and name mismatch warrant caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

HIGH Sensitive credential files accessed during install -60

The install process opened and read /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. While these reads appear to be from the OpenClaw platform runtime rather than skill-authored code, they occurred during this skill's installation attempt and represent exposure of sensitive paths.

MEDIUM Skill failed to install but triggered platform activity -45

The skill could not be resolved ('Skill not found'), yet the install process still executed significant platform operations including reading sensitive files, creating temp directories, and JIT-compiling platform modules. A failed skill should not trigger credential file access.

MEDIUM Skill name mismatch between repo and lock.json -40

The repository is named 'arbitrum-dapp' but the lock.json references 'academic-research-hub' as the installed skill. This mismatch could indicate a repurposed repository, a dependency confusion attempt, or simply a misconfigured skill.

MEDIUM JIT-compiled modules created during failed install -25

Multiple CJS files were written to /tmp/jiti/ during the install attempt, including plugins-runtime, plugin-sdk, and memory-core modules. While likely platform-initiated, this execution occurred in the context of a skill that failed to resolve.

LOW Empty SKILL.md — no prompt content to evaluate -10

The skill contains no SKILL.md or any meaningful content. While this means no prompt injection vectors exist, it also means the skill provides zero declared functionality, making its purpose unclear.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified, confirming no direct exfiltration occurred during the monitored install window.