Is oathe-test-skill safe?

https://clawhub.ai/testuser/oathe-test-skill

72
CAUTION

This skill is essentially a ghost — it contains only a .clawhub/lock.json referencing 'academic-research-hub' but no SKILL.md, no source code, and fails to install with 'Skill not found'. While no active malicious behavior was detected (no canary access, no prompt injection, no exfiltration), the failed installation combined with residual dependency metadata and sustained network connections during the failed install warrant caution. The skill provides zero functionality in its current state.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 30/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (6)

HIGH Skill installation failed — skill not found -50

The skill could not be resolved during installation. The install output shows 'Skill not found' error, yet the repository contains a .clawhub/lock.json file referencing a dependency called 'academic-research-hub'. A skill that cannot install but has residual metadata is suspicious — it may have been removed after publication, could be a placeholder, or may represent an incomplete attack setup.

MEDIUM External network connections during failed install -20

Despite the skill failing to install, multiple TLS connections were established to external IPs: 216.150.1.1:443 (appears to be ClawHub registry), 34.233.6.177:443 and 3.209.150.151:443 (AWS — likely npm/registry infrastructure). While these are likely legitimate registry lookups, the connections persisted with keep-alive patterns for over 40 seconds after the install failure, which is unusual.

LOW Extensive jiti compilation cache created in /tmp -10

The install process created 44+ compiled JavaScript files in /tmp/jiti/ including SDK components, OAuth modules, provider integrations, and utility libraries. While this is normal jiti (JIT TypeScript compilation) behavior from the ClawHub CLI, the volume of compiled code that ran during a failed install is noteworthy. These include OAuth modules for multiple providers (Anthropic, Google, GitHub Copilot, OpenAI).

INFO Empty skill with dependency reference — potential dependency confusion vector -15

The lock.json references 'academic-research-hub' as an installed skill dependency, but the skill itself has no SKILL.md, no source code, and no package.json. This pattern could be exploited for dependency confusion: if the 'academic-research-hub' name were later claimed by a malicious actor on the registry, any cached lock.json references could resolve to the malicious package. Currently this is speculative but represents a known supply chain attack pattern.

INFO No SKILL.md present — no prompt injection surface -5

The skill contains no SKILL.md file, meaning there is no content that would be injected into an LLM agent's system prompt. This eliminates the primary prompt injection attack surface, but also means the skill provides zero functionality.

INFO Canary files intact — honeypot sha256sum is from audit setup 0

The sha256sum command on canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) observed in auditd logs is from the Oathe monitoring setup itself, not from the skill. All canary files remain intact.