ClawAudit verdict

skill-safe-install

🔴 Dangerous

Multiple critical issues — do not install without thorough manual review

Fetches from network AND uses eval/Function

skill-safe-install scores 25/100 (Dangerous). It requires 1 env vars and 4 binaries. Fetches from network AND uses eval/Function — the remote-code-execution pattern (data-flow not verified). 2 critical pattern matches in code.

security

transparency

maintenance

What it does

These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.

Capability combination critical

Fetches from network AND uses eval/Function — the remote-code-execution pattern (data-flow not verified)

LLM05 · LLM06 · ASI05

Capability combination critical

Accesses system credential store AND makes external network calls

LLM02 · ASI03

Capability combination high

Accesses credentials AND makes external network calls — potential credential theft

LLM02 · ASI03

Capability combination high

Accesses credentials AND writes files — may persist stolen credentials locally

LLM02 · LLM06 · ASI03

Findings (14)

Pattern match critical

Unicode homoglyph detected — uses lookalike characters to evade pattern matching

SKILL.md · prose

Pattern match critical

Uses eval() — can execute arbitrary code

SKILL.md · code · eval(

Pattern match high

Accesses OpenClaw config/secrets directly

SKILL.md · code · ~/.openclaw/.env

Pattern match high

Pipe to bash — executes piped content as shell commands

SKILL.md · prose · downgraded · |bash

Pattern match high

Pipe-to-shell pattern (curl | sh) — supply chain attack vector

SKILL.md · prose · downgraded · curl ... | bash

Pattern match high

Pipe-to-shell pattern (wget | sh)

SKILL.md · prose · downgraded · wget ... | bash

Pattern match high

Recursive delete from root or home — destructive command

SKILL.md · prose · downgraded · rm -rf /

Pattern match high

Accesses sensitive system files

SKILL.md · prose · downgraded · /etc/passwd

Pattern match medium

Uses exec() — may execute shell commands

SKILL.md · prose · downgraded · exec(

Pattern match medium

References sudo — requests elevated privileges

SKILL.md · prose · downgraded · sudo

Pattern match medium

Accesses .ssh directory

SKILL.md · prose · downgraded · .ssh/

Pattern match medium

Accesses cloud provider credentials

SKILL.md · prose · downgraded · ~/.aws

Pattern match medium

References child_process — can spawn system processes

SKILL.md · prose · downgraded · child_process

Pattern match low

References agent memory files

SKILL.md · prose · downgraded · MEMORY.md

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class A/B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

Requires 1 environment variable. (1 sensitive: THREATBOOK_API_KEY). Requires 4 system binaries. (1 elevated: curl).

file_writecredential_accessnetwork_outcredential_storedynamic_eval

I installed anyway

Check another skill Browse the registry Auditing your own skills or configs? Use the API