Skills
skills/openclaw/skills/claw-control/Gen Agent Trust Hub

claw-control

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis

Detailed Security Analysis for Claw Control Skill

1. Prompt Injection

  • Verdict: SAFE
  • Findings: No patterns indicative of prompt injection (e.g., 'ignore previous instructions', 'jailbreak') were found in SKILL.md or other files. The instructions are conversational and guide the user through setup steps without attempting to override the AI's core safety mechanisms.

2. Data Exfiltration

  • Verdict: HIGH
  • Findings:
    • Highly Sensitive Credential Request (SKILL.md): The skill explicitly asks the user to provide highly sensitive credentials:
      • GitHub Personal Access Token with repo and workflow scopes (Option C, Step 5). These scopes grant extensive control over GitHub repositories and workflows, including code modification and deployment.
      • Railway API Token (Option B, Option C). This token grants control over Railway projects and deployments.
      • Supermemory API Key (Step 6).
      • Claw Control API Key (Post-Setup). While the skill advises secure storage (.env file or shell config), the AI itself is instructed to handle and use these tokens for operations (e.g., curl commands for GitHub API, templates/update_dashboard.js for Claw Control API). This creates a significant risk of CREDENTIALS_UNSAFE and DATA_EXFILTRATION if the AI's context is compromised or if the tokens are inadvertently logged or exposed.
    • User-Configurable Data Sending (templates/update_dashboard.js): The templates/update_dashboard.js script is designed to send agent status and messages to a user-defined CLAW_CONTROL_URL using a CLAW_CONTROL_API_KEY. If a malicious CLAW_CONTROL_URL is provided by the user (or an attacker), this script could be leveraged to exfiltrate data (status, messages, and the API key itself) to an attacker-controlled server. This is a direct DATA_EXFILTRATION vector.

3. Obfuscation

  • Verdict: SAFE
  • Findings: No evidence of obfuscation techniques such as Base64 encoding, zero-width characters, homoglyphs, or excessive URL/hex/HTML encoding was found in any of the provided files.

4. Unverifiable Dependencies

  • Verdict: HIGH
  • Findings:
    • **External Script Execution (SKILL.md, Step 6
  • QMD Setup):** The skill instructs the user to execute curl -fsSL https://bun.sh/install | bash. This command downloads and executes a shell script from bun.sh. While bun.sh is a legitimate source for the Bun runtime, executing arbitrary scripts directly from the internet via curl | bash is a COMMAND_EXECUTION and EXTERNAL_DOWNLOADS risk, as the content of the script cannot be verified at analysis time and could change.
    • **Direct GitHub Package Installation (SKILL.md, Step 6
  • QMD Setup):** The skill instructs bun install -g https://github.com/tobi/qmd. This command installs a package directly from a GitHub repository (tobi/qmd). The tobi GitHub organization is not on the list of trusted sources. Installing software directly from untrusted GitHub repositories is an EXTERNAL_DOWNLOADS risk, as the code could contain malicious components.
    • Untrusted GitHub Repository for Deployment (SKILL.md, Option A, B, C): The skill facilitates deployment of the claw-control project to Railway. The underlying source code for claw-control is referenced as openclaw/claw-control (Option C) or adarshmishra07/claw-control (clawhub.json). Neither openclaw nor adarshmishra07 are listed as trusted GitHub organizations. Deploying code from untrusted sources is an EXTERNAL_DOWNLOADS risk. (Severity for this specific finding is MEDIUM, but overall verdict is HIGH due to other findings).

5. Privilege Escalation

  • Verdict: SAFE
  • Findings: No explicit commands for privilege escalation (e.g., sudo, chmod 777, service installation) were found within the skill's instructions. The bun.sh installer might perform such actions, but the skill itself does not directly command them.

6. Persistence Mechanisms

  • Verdict: LOW
  • Findings: The skill advises users to store API keys and URLs in .env files or export them in their shell configuration (e.g., ~/.bashrc, ~/.zshrc). While this is a common practice for environment variables, it constitutes a form of persistence. This is noted as a LOW risk as it's user-directed and generally considered safe for environment variables, but it is a mechanism for maintaining access across sessions.

7. Metadata Poisoning

  • Verdict: SAFE
  • Findings: No malicious instructions or hidden content were found in _meta.json or clawhub.json. The owner and repository fields point to untrusted GitHub organizations, which is covered under Unverifiable Dependencies.

8. Indirect Prompt Injection

  • Verdict: INFO
  • Findings: The skill processes various user inputs (theme names, character names, URLs, API keys) which are then used to generate scripts (update_dashboard.js) and update markdown files (AGENTS.md, SOUL.md), and in curl commands. If these user inputs are not properly sanitized, there is a potential for indirect prompt injection or command injection if a malicious user provides specially crafted input. This is a general risk for skills that process and act upon user-provided data.

9. Time-Delayed / Conditional Attacks

  • Verdict: SAFE
  • Findings: No conditional logic based on dates, times, usage counts, or specific environment triggers that would indicate a time-delayed or conditional attack was found.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 06:14 AM