lossless-claw-skill
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs users to download and install the @martian-engineering/lossless-claw plugin and the lcm-tui binary from an untrusted GitHub repository (Martian-Engineering) that is not part of the trusted vendor list.
- [REMOTE_CODE_EXECUTION]: Installation instructions include using 'go install' to fetch and compile code from an external repository at runtime, which executes external code on the host system.
- [COMMAND_EXECUTION]: Documentation provides complex shell scripts to modify macOS LaunchAgents using PlistBuddy and manages system services via launchctl. It also includes instructions to patch and build Node.js from source, which represents a high-risk operational surface.
- [CREDENTIALS_UNSAFE]: The architecture documentation confirms the plugin manages and accesses highly sensitive API keys (e.g., ANTHROPIC_API_KEY, OPENAI_API_KEY) from environment variables and local configuration files (~/.openclaw/openclaw.json).
- [DATA_EXFILTRATION]: The skill manages a local SQLite database (~/.openclaw/lcm.db) containing full conversation histories. While no explicit exfiltration was observed, the tools have the necessary permissions and functionality to read and process this sensitive data.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted user messages to generate summaries. It also has the capability to spawn sub-agents (lcm_expand_query), creating a surface where malicious content in history could manipulate sub-agent behavior despite XML boundary markers.
Recommendations
- AI detected serious security threats
Audit Metadata