Is clawdhub safe?

https://clawhub.ai/steipete/clawdhub

72
CAUTION

The clawdhub skill is a package manager interface that instructs AI agents to install, update, and publish skills via a third-party CLI and registry. While the skill itself contains no malicious code or prompt injection, it creates significant supply-chain risk by encouraging unpinned global npm installs and force-updates without user confirmation. Filesystem monitoring revealed that sensitive credential files (.env, .aws/credentials, auth-profiles.json) are read during the installation process, likely by the underlying platform rather than the skill itself, but this remains a concern.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH Sensitive credential files read during installation -35

The filesystem monitor captured reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json during the skill clone/install phase. While these reads likely originate from the openclaw platform runtime rather than the skill itself, they demonstrate that credential files are loaded into memory during skill installation, creating an exposure surface.

HIGH Skill instructs global npm install of unpinned package -25

The skill's primary instruction is 'npm i -g clawdhub', which installs a globally-accessible CLI from npm without version pinning. npm install scripts (preinstall/postinstall) run with full user privileges. If the 'clawdhub' npm package is compromised, every user following this skill's instructions would execute malicious code.

MEDIUM Skill encourages force-update without user confirmation -12

The skill documents 'clawdhub update --all --no-input --force' which combines updating all installed skills, skipping user confirmation, and forcing overwrites. An agent following this instruction pattern could silently replace legitimate skills with malicious versions from a compromised registry.

MEDIUM Registry override enables redirection to malicious source -10

The skill documents that the registry can be overridden via CLAWDHUB_REGISTRY env var or --registry flag. If an attacker can set environment variables (via another skill or .env manipulation), all install/update commands would fetch from an attacker-controlled server.

MEDIUM Runtime code transpilation during clone phase -15

Multiple jiti transpilation cache files were created in /tmp/jiti/ during the clone, indicating that TypeScript/ESM code is being compiled and executed at runtime. This expands the attack surface as the transpiled code runs outside the skill directory.

MEDIUM Skill acts as meta-installer with supply-chain risk -50

This skill's purpose is to instruct an AI agent to install other skills from a third-party registry. This creates a transitive trust problem: trusting this skill means trusting every skill the clawdhub registry serves, the npm package 'clawdhub', and the registry infrastructure. A single compromise in this chain affects all downstream users.

LOW Platform reads .profile and .bashrc during install -10

The openclaw platform reads shell configuration files (.profile, .bashrc) multiple times during skill installation. While this is typical for shell environment initialization, it means shell-level persistence mechanisms (aliases, PATH modifications) could influence skill behavior.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified, indicating no deliberate credential harvesting by the skill itself.

INFO No outbound network connections detected 0

No network activity was observed during the clone and install phase, which is a positive signal. The skill did not attempt to phone home or exfiltrate data during installation.