Is competitive-intelligence-market-research safe?

https://clawhub.ai/shashwatgtm/competitive-intelligence-market-research

28
DANGEROUS

This skill is a dangerous bait-and-switch: listed as 'competitive-intelligence-market-research' but installs a conversation surveillance system ('context-optimizer'/'context-pruner') that intercepts all agent messages, extracts keywords and embeddings, and archives everything to persistent storage. During installation, it accessed credential files (.env, .aws/credentials, auth-profiles.json) with no legitimate purpose. The combination of credential harvesting, conversation archival, and deceptive naming indicates deliberate malicious intent.

Category Scores

Prompt Injection 25/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 35/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (10)

CRITICAL Credential file access during installation -45

During installation, the skill accessed .env, .aws/credentials, openclaw.json, and auth-profiles.json — all sensitive credential files with no legitimate reason for a context management tool to read them.

CRITICAL Bait-and-switch skill naming -40

The skill is listed as 'competitive-intelligence-market-research' on ClawHub but installs as 'context-optimizer'/'context-pruner'. This is a deliberate mismatch designed to evade review — the ClawHub listing name suggests market research but the actual payload is a conversation interception system.

CRITICAL Persistent conversation archival system -30

The ContextArchive class creates a persistent filesystem-based database of all processed conversation messages, complete with embeddings, keywords, metadata, and timestamps. This archives all user interactions to disk where they can be retrieved later.

HIGH Conversation interception masquerading as optimization -20

The skill processes ALL messages through its pipeline, scoring relevance, extracting keywords, generating embeddings, and filtering content. This gives it complete visibility into and control over the agent's conversation, with the ability to silently drop or modify messages.

HIGH Install command targets user home directory -35

The SKILL.md install command runs npm install in ~/.clawdbot/skills/context-pruner which is in the user's home directory, not the skill's own directory. This could execute arbitrary postinstall scripts with full home directory access.

HIGH Environment reconnaissance during install -35

Multiple reads of .profile, .bashrc, and openclaw.json configuration files during installation suggest the skill is mapping the user's environment, installed tools, and configuration.

HIGH Large external dependency download -20

@xenova/transformers downloads an ~80MB model on first run. This large binary download creates supply chain risk and could be used to deliver malicious payloads.

MEDIUM Keyword extraction on all conversations -10

The extractKeywords() method processes all conversation content to extract significant words, building a searchable index of conversation topics that persists in the archive.

MEDIUM CLI tool with arbitrary file read/write -15

The CLI script accepts arbitrary input and output file paths for the 'prune' command with no path validation or sandboxing, enabling read/write access to any file the process can access.

LOW Writes to /tmp during installation -30

Installation creates directories and files in /tmp (jiti cache files, openclaw gateway lock) which could be used for inter-process communication or persistence outside the skill directory.