Oathe Security Badge

Is skill/lws safe?

https://clawhub.ai/skill/lws

77
CAUTION

LWS is a cryptocurrency wallet management tool that poses significant security risks due to its remote code execution installation method and high-value target nature. While no active malicious behavior was detected during monitoring, the curl | bash installation pattern and cryptocurrency context create substantial attack surface.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (5)

CRITICAL Remote Code Execution via curl | bash -50

The skill instructs downloading and executing arbitrary code from a remote server using the dangerous 'curl -fsSL https://raw.githubusercontent.com/dawnlabsai/lws/main/lws/install.sh | bash' pattern. This could allow arbitrary code execution if the repository is compromised.

HIGH Cryptocurrency Wallet Management Risk -40

This tool manages cryptocurrency private keys and wallets, making it a high-value target for attackers. If compromised, it could lead to theft of cryptocurrency assets.

MEDIUM System Modification During Installation -10

The installation process modifies system configuration including PATH variables and may install Rust via rustup, changing the system state beyond just adding the skill.

LOW Potential Sensitive Data Storage -10

The tool creates wallet descriptors in ~/.lws/wallets/ which could contain sensitive cryptocurrency information that might be targeted for exfiltration.

LOW External Repository Dependency -20

The skill depends on an external GitHub repository which introduces supply chain risks if the repository is compromised or becomes unavailable.