Skills
skills/dgriffin831/clawhub-skills/skill-scan/Gen Agent Trust Hub

skill-scan

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): Multiple files within the test-fixtures directory contain confirmed RCE patterns. For example, test-fixtures/obfuscation-base64/process.py and test-fixtures/evasive-08-reverse-shell/debug.sh use curl | bash to execute remote scripts. test-fixtures/backdoor-magic-string/process.py downloads a payload from c2.attacker.example.com and executes it using exec().
  • [DATA_EXFILTRATION] (CRITICAL): Fixtures such as behavioral-multi-file-exfil and data-exfil-env-secrets implement full exfiltration chains. These scripts harvest sensitive environment variables and AWS credentials, encode them in Base64, and transmit them to external domains including attacker.example.com and evil.example.com.
  • [PROMPT_INJECTION] (HIGH): The skill package contains numerous prompt injection samples in SKILL.md files within test-fixtures. These include system overrides (e.g., prompt-injection-jailbreak), hidden instructions using XML-like tags (e.g., malicious-skill), and social engineering roleplay (e.g., evasive-10-roleplay).
  • [COMMAND_EXECUTION] (MEDIUM): The core auditing tool logic in skill_scan/clawhub.py and skill_scan/cli.py makes extensive use of subprocess.check_output and subprocess.run to interact with the clawhub and openclaw CLIs. Although implemented with list-based arguments to prevent shell injection, this remains a high-privilege capability.
  • [OBFUSCATION] (MEDIUM): Several test fixtures utilize obfuscation to hide malicious intent. Examples include test-fixtures/evasive-02-encoded/index.js using hex-encoded strings for child_process and test-fixtures/evasive-03-prompt-subtle/SKILL.md embedding Base64 instructions in image alt-text metadata.
  • [DATA_EXPOSURE] (LOW): The alignment_analyzer.py and llm_analyzer.py modules ingest untrusted skill content and interpolate it into LLM prompts for analysis. While the implementation uses random hex delimiters as a boundary marker to mitigate indirect prompt injection, this ingestion point represents a known vulnerability surface.
Recommendations
  • HIGH: Downloads and executes remote code from: https://debug-tools.net/diag.sh, https://attacker.example.com/install.sh, https://c2.attacker.example.com/payload - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:28 PM