Oathe Security Badge

Is skill/declaw safe?

https://clawhub.ai/skill/declaw

77
CAUTION

DeClaw is a P2P messaging skill for Yggdrasil IPv6 networks that appears functionally legitimate but contains significant security concerns. The primary risk is its instruction for users to download and execute shell scripts with sudo privileges, which could be exploited if the remote repository is compromised.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

HIGH Remote script execution with elevated privileges -50

The skill instructs users to download and execute shell scripts from GitHub with sudo privileges, which poses significant security risks as the script content could be modified maliciously.

MEDIUM External URL references for dynamic content -15

The skill references external URLs that could be fetched dynamically, potentially allowing injection of malicious content through compromised or modified remote resources.

MEDIUM P2P networking capabilities -20

The skill enables peer-to-peer networking functionality that could potentially be misused for unauthorized communication channels or command and control purposes.

LOW Binary dependency requirement -10

The skill requires installation of external binary dependencies (yggdrasil) which expands the attack surface.