Is literature-review safe?

https://clawhub.ai/weird-aftertaste/literature-review

72
CAUTION

This skill delivers zero functional content — an empty SKILL.md with only a lock.json file — yet its install process reads sensitive credential files including .env, .aws/credentials, and auth-profiles.json. The mismatch between a 'literature review' skill's stated purpose and its install-time credential enumeration behavior is a significant red flag consistent with reconnaissance or credential staging. No outbound network activity was detected, but credentials may be cached for later exfiltration at runtime or via a companion skill.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 55/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

HIGH AWS credentials file read during install -30

The install process opened and read /home/oc-exec/.aws/credentials. A literature review skill has no legitimate reason to access AWS credential files. This is consistent with credential harvesting behavior.

HIGH .env file read during install -15

The install process opened and read /home/oc-exec/.env, which typically contains environment secrets, API keys, and database credentials. No legitimate reason for a literature review skill to access this file.

MEDIUM Auth profiles read during install -10

The install process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, which contains authentication configuration for the agent platform.

MEDIUM Empty skill with credential enumeration behavior -60

The skill delivers no functional content (empty SKILL.md, no source code, no package.json) yet its install process enumerates sensitive files including credentials, environment variables, and auth profiles. This pattern is consistent with a reconnaissance-stage payload.

MEDIUM Disproportionate runtime module compilation -15

Over 25 jiti-compiled CJS modules were created in /tmp during install of a near-empty skill. This suggests the install runtime includes substantial code execution that is not justified by the skill's content.

LOW DNS resolution infrastructure accessed -10

The install process accessed DNS resolution configuration files, indicating preparation for network operations even though no outbound connections were observed.

LOW Gateway lock file creation -5

A process coordination lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock, suggesting inter-process communication during install.

INFO Empty SKILL.md — no active prompt content -15

The SKILL.md file is empty, meaning no prompt injection is currently present. However, an empty skill that still performs file enumeration during install is itself a risk indicator.

MEDIUM Canary files read but not modified -45

While canary hash verification passed (no modifications), the .env and .aws/credentials canary files were demonstrably read during install. Read-without-modify is consistent with credential harvesting where exfiltration occurs at a later stage.