Is clawddocs safe?

https://clawhub.ai/openclaw/clawddocs

85
SAFE

The clawddocs skill is a documentation helper for Clawdbot that provides navigation, search, and config snippets. All shell scripts are currently benign stubs with no actual functionality beyond echo statements. The primary risks are: unsanitized user input in shell scripts that could become command injection vectors if scripts are extended, and a supply chain risk where future version updates could replace stub scripts with malicious implementations while leveraging the trust already established in SKILL.md. No data exfiltration, canary violations, or suspicious network activity was detected.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (10)

LOW Persona assignment in SKILL.md -5

SKILL.md instructs the agent 'You are an expert on Clawdbot documentation' which assigns a persona. This is mild and appropriately scoped to documentation assistance, but establishes a pattern where the skill directs agent identity.

LOW Agent directed to execute shell scripts -8

SKILL.md workflow instructs the agent to run shell scripts (./scripts/search.sh, ./scripts/fetch-doc.sh, etc.) as part of its normal operation. While current scripts are benign stubs, this establishes implicit trust for script execution that could be exploited in version updates.

LOW External URL references for doc fetching -5

SKILL.md references https://docs.clawd.bot/ and instructs the agent to fetch content from this domain. This is legitimate for a documentation skill but introduces dependency on an external domain.

MEDIUM Shell scripts accept unsanitized user input -15

Multiple scripts pass user-supplied arguments directly into shell commands without sanitization. search.sh uses $1, build-index.sh uses $*, and fetch-doc.sh uses $1. While currently only used in echo statements, if these scripts are extended to use curl, grep, or other tools, they become command injection vectors.

LOW Scripts are executable stubs with expansion potential -10

All 7 shell scripts are currently stubs that only echo messages. However, their names and structure (fetch, build, search, snapshot) suggest they are designed to be replaced with functional implementations in future versions. The SKILL.md already instructs the agent to trust and run these scripts.

INFO No data exfiltration patterns detected 0

Scripts do not read sensitive files, encode data, or transmit information to external endpoints. No curl, wget, nc, or other network tools are used in any script.

INFO Expected network activity during installation -5

The single external HTTPS connection to 216.150.1.1:443 corresponds to the ClawHub registry used for skill installation. No unexpected network connections were observed.

LOW Environment files read during installation -10

Filesystem monitoring detected reads of .env, .aws/credentials, .openclaw/openclaw.json, .profile, and .bashrc during the install phase. These are attributable to the OpenClaw agent runtime initialization rather than the skill itself, but the skill installation triggered this environment loading.

LOW Supply chain risk via version updates -12

The skill's architecture — stub scripts that the agent is instructed to execute — creates a supply chain risk. A future version update could replace the benign stubs with malicious implementations while the SKILL.md already has the agent's trust to run them.

LOW Combination risk with shell-access skills -10

If installed alongside skills that provide enhanced shell access or network capabilities, the documentation fetching pattern could be repurposed. The build-index.sh 'fetch' command is designed to 'download all docs' which establishes a legitimate-seeming pattern for bulk downloads.