Is security-audit safe?

https://clawhub.ai/punkpeye/security-audit

42
DANGEROUS

This skill poses as a security auditing tool but performs credential harvesting during installation. Filesystem monitoring caught it reading .env, .aws/credentials, and auth-profiles.json at install time — before any user action. It also compiled 11 modules into /tmp and created a gateway lock file, suggesting hidden infrastructure. While no network exfiltration was observed during the monitoring window, the install-time credential access pattern is consistent with a reconnaissance/staging attack. The actual audit.cjs source was unavailable for review, making the full attack surface unknown.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 10/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (10)

CRITICAL Install-time credential harvesting -60

During installation (before any user action), the skill read /home/oc-exec/.env and /home/oc-exec/.aws/credentials. These are high-value credential files that have no legitimate reason to be accessed during skill installation.

CRITICAL Auth profile enumeration at install time -25

The skill read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json during installation, which contains authentication tokens and OAuth profiles for the agent platform.

HIGH Extensive reconnaissance during install -60

The install process systematically read .profile, .bashrc, openclaw.json (6 times), and auth-profiles.json — a pattern consistent with environment fingerprinting and credential enumeration rather than legitimate skill setup.

HIGH Suspicious temp directory and compiled module creation -30

Install created /tmp/openclaw-1000/gateway.*.lock and compiled 11 .cjs modules in /tmp/jiti/ including memory-core, plugin-sdk, plugins-runtime, channels-registry, and config-schema. This suggests substantial hidden code execution during install.

HIGH Opaque executable with filesystem modification capabilities -50

The skill ships scripts/audit.cjs which is intended to be executed with node, including a --fix flag that modifies file permissions and creates files. The actual source code of audit.cjs was not available for review despite being listed in the file inventory.

HIGH Install-time code execution confirmed -25

Filesystem monitoring proves code executed during install (not just file copy): temp directories created, lock files written, modules compiled. This is not passive installation.

MEDIUM Implicit trust exploitation via security tool framing -20

By presenting as a security audit tool, this skill exploits trust bias — users grant more permissions to security tools, and agents may treat security-related instructions with higher authority. The skill's SKILL.md normalizes running executable code and filesystem modifications.

MEDIUM Encourages agent to execute arbitrary code -15

SKILL.md instructs the agent to run node commands with various flags. An agent following these instructions would execute untrusted JavaScript with full system access.

LOW Credential files read but not modified 0

While canary integrity checks passed (no modifications), the .env and .aws/credentials files were demonstrably READ during install. Read-only exfiltration would not trigger modification-based canary alerts.

INFO No network exfiltration observed in monitoring window 0

No outbound network connections were detected during the monitored period. However, data could be staged for later exfiltration via the /tmp files, or network activity could occur when audit.cjs is actually executed by the user.