Is deep-research-pro safe?

https://clawhub.ai/parags/deep-research-pro

72
CAUTION

Deep-research-pro is a prompt-only research skill with no executable code in the repository itself, clean install behavior, and intact canary files. However, it instructs the agent to execute bash commands (curl, python3) against arbitrary URLs, depends on an external unbundled script (ddg-search), writes files to the user's home directory, and provides sub-agent spawning templates with model overrides. These patterns create meaningful prompt injection and data exfiltration surface area despite the skill's benign intent.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Unrestricted bash command execution via curl -20

The skill instructs the agent to run 'curl -sL ' piped to python3 for any URL deemed 'promising' during research. This gives the agent blanket authorization to make outbound HTTP requests to arbitrary destinations. A malicious or compromised search result could lead the agent to fetch content from attacker-controlled servers, potentially leaking context via request headers or URL parameters.

HIGH Sub-agent spawning with model override -15

The skill provides a sessions_spawn template that specifies model: 'opus' and detailed behavioral instructions for sub-agents. This overrides user preferences for model selection and creates autonomous agent processes that follow the skill's workflow rather than the user's direct control.

MEDIUM Implicit file writes to user home directory -10

The skill instructs the agent to create directories and write files under ~/clawd/research/ without per-invocation user consent. While the path is within the expected ClawdBot workspace, the skill assumes write permission rather than requesting it.

MEDIUM Inline Python execution for HTML processing -15

The skill instructs the agent to pipe web content through an inline Python script. While the current script is a simple HTML tag stripper, this establishes a pattern of arbitrary code execution that could be modified in future versions to perform malicious operations.

MEDIUM Dependency on external unbundled script -15

The skill depends on /home/clawdbot/clawd/skills/ddg-search/scripts/ddg which is a separate skill not bundled with this package. This creates a supply-chain dependency — if ddg-search is compromised or modified, this skill's behavior changes without any update to deep-research-pro itself.

MEDIUM Outbound HTTP to arbitrary URLs -25

The curl commands in Step 4 fetch full page content from URLs discovered during search. If the agent's context contains sensitive information and an attacker can influence search results, the agent could be directed to fetch attacker-controlled URLs, potentially leaking data through request metadata (User-Agent, Referer, or if the agent appends context to query strings).

LOW Declared but missing scripts/research executable -5

package.json declares 'scripts/research' in the files array, but this file was not present in the cloned repository. This could indicate an incomplete publish, or the file could be added in a future version to introduce executable code.

INFO Clean install with no anomalous behavior -5

The clone and install process showed only standard OpenClaw platform initialization. No network activity, no unexpected processes, no filesystem changes outside the skill directory. The .env and .aws/credentials reads in the filesystem log are from the OpenClaw platform boot sequence, not from this skill.

MEDIUM Chained skill compromise vector -55

This skill creates an attack surface multiplication effect: it depends on ddg-search (supply chain), fetches arbitrary web content (SSRF potential), writes to a predictable path (file planting), and can spawn sub-agents (persistence). While each behavior is individually explainable for a research tool, the combination creates multiple exploitation vectors that a sophisticated attacker could leverage.