Is last30days safe?

https://clawhub.ai/zats/last30days

62
CAUTION

The 'last30days' skill presents as nearly empty (only a lock.json file) but its installation process accessed highly sensitive files including AWS credentials, SSH authorized_keys, .env, and platform authentication profiles. The lock.json references a mismatched dependency ('academic-research-hub') and a full runtime framework was transpiled during install. While no network exfiltration was captured and canary files remained intact, the extreme disproportion between the skill's minimal content and its aggressive credential file access pattern is a significant red flag consistent with credential harvesting behavior.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

CRITICAL AWS credentials accessed during install -30

The installation process opened and read /home/oc-exec/.aws/credentials. This file contains AWS access keys and secret keys. There is no legitimate reason for a skill installation to access AWS credentials.

CRITICAL SSH authorized_keys accessed during install -20

The installation process read /home/oc-exec/.ssh/authorized_keys twice. This file contains SSH public keys for remote access. Accessing this during a skill install is highly suspicious and could be used to enumerate or exfiltrate SSH access configuration.

HIGH .env file accessed during install -10

The installation process read /home/oc-exec/.env which commonly contains API keys, database credentials, and other secrets.

HIGH Authentication profiles accessed -10

The install process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json — platform authentication credentials that could grant access to other services.

HIGH Disproportionate sensitive file access for empty skill -55

The skill contains only a lock.json file with no SKILL.md, no package.json, and no source code, yet the installation process accessed SSH keys, AWS credentials, .env, auth profiles, and system files. This extreme mismatch between skill content and install behavior is a strong indicator of credential harvesting.

MEDIUM Runtime transpilation during install -25

Multiple jiti CJS files were created in /tmp/jiti/ during installation, indicating dynamic code compilation and execution. This includes files referencing 'memory-core', 'plugin-sdk', 'plugins-runtime', 'channels-registry', and 'config-zod-schema' — suggesting a full runtime framework was bootstrapped.

MEDIUM Gateway lock file created -20

A gateway lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during installation, suggesting a network-capable gateway process was initialized. This could serve as a communication channel for data exfiltration.

MEDIUM Skill slug mismatch with lock.json dependency -30

The skill slug is 'last30days' but the lock.json references 'academic-research-hub' as its dependency. This naming inconsistency suggests either a package substitution attack or that the skill is a wrapper/trojan for a different package.

LOW System enumeration via /etc files -5

The install process read /etc/passwd, /etc/group, and /etc/machine-id — standard system enumeration that could be used to fingerprint the host for targeted attacks.

INFO Empty SKILL.md — no prompt content to inject -10

The SKILL.md file is empty, meaning no prompt injection content was detected. However, the skill's actual instructions may be loaded dynamically at runtime via the 'academic-research-hub' dependency referenced in lock.json, which was not captured in this audit.