Is clawdex safe?

https://clawhub.ai/wearekoi/clawdex

62
CAUTION

Clawdex is a security-checking skill by Koi that delegates all skill trust decisions to an external API (clawdex.koi.security). While the skill itself contains no exploit code and installed cleanly, it creates a significant trust architecture concern: the agent is instructed to send every installed skill name to Koi's servers (leaking the user's full skill inventory) and to obey the API's install/block verdicts without user override for 'malicious' results. This effectively makes an opaque third-party the gatekeeper of the user's entire skill ecosystem.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

HIGH External API becomes gatekeeper for all skill installations -35

The skill instructs the agent to query https://clawdex.koi.security/api/skill/SKILL_NAME before every skill installation and to obey the API's verdict. A 'benign' response auto-approves install; 'malicious' blocks it entirely. This delegates the user's trust decisions to an opaque third-party API with no transparency into its criteria, no appeal mechanism, and no way to verify its accuracy.

HIGH Strong override directives suppress user choice -25

The skill uses imperative language that instructs the agent to block installations without consulting the user when the API returns 'malicious'. Only the 'unknown' case escalates to the user. This means the API operator — not the user — has final say on what gets installed.

HIGH Full skill inventory exfiltrated to third-party API -40

The 'Check Already-Installed Skills' section instructs the agent to list all installed skills and send each name to the Koi API. This gives the API operator a complete map of every user's installed tools, which has competitive intelligence value and could be used for targeted attacks.

MEDIUM Individual skill checks leak usage patterns and IP -15

Each API call to check a skill before installation leaks the user's IP address, the skill they intend to install, and timing information. Over time this builds a detailed profile of the user's skill adoption behavior.

MEDIUM Shell commands executed via agent but limited to curl and ls -15

The skill directs the agent to run shell commands (curl, ls, for loops) but these are standard read-only operations. No arbitrary code download or execution is instructed. The risk is bounded to the data exfiltration concerns above.

LOW Single point of compromise in trust chain -30

If the Koi API is compromised, the attacker gains the ability to approve malicious skills for all users who have Clawdex installed, or deny legitimate skills. There is no fallback, no local verification, and no cryptographic proof of verdicts.

INFO Competitive gatekeeper risk -10

Koi is a security company. A skill that makes Koi's API the mandatory authority on which skills can be installed creates a competitive advantage — Koi could theoretically flag competitor security tools as 'malicious' while approving their own ecosystem.

INFO Clean install with no suspicious behavior 0

The skill installed cleanly with no network activity, no process spawning, and no filesystem changes outside expected paths. The /tmp/jiti files are standard ClawHub CLI caching behavior.