skill-snitch

The artifact shows multiple high-risk design decisions: explicit agent safety override directives that enable prompt injection, plaintext storage of wallet private keys/passwords at ~/.emblem-vault, and reliance on opaque npm dependencies that were not inspected. These collectively create a strong supply-chain and credential-theft risk, and a realistic path for attackers or malicious dependencies to exfiltrate keys or cause irreversible financial transactions. While there is no direct code sample here proving active malware (e.g., backdoor or exfiltrate-host hardcoded), the package design and opaque deps make it unsafe to use without a full audit of the dependent npm packages and removal of safety overrides and plaintext key storage. Recommended action: do not use in production, audit or replace opaque deps, remove/neutralize safety overrides, encrypt keys (use secure keystore/HSM), and require explicit runtime confirmations for transactions.

This YAML is a threat-intel/catalog artifact documenting a supply-chain campaign (ClawHavoc) distributing Atomic Stealer via malicious ClawHub skills, with explicit IoCs (C2 91.92.242.30, archive password '1234'), delivery techniques (base64 | bash, password-protected archives), and hosting repositories. The file itself is not executable malware but points to high-risk artifacts and infrastructure; defenders should treat referenced skills/repos as malicious, block the C2, remove/takedown listings, and analyze the linked payload repositories and analysis YAMLs for confirmation and remediation.

The fragment describes a high-risk supply-chain attack pattern: clean documentation (SKILL.md) masking a reverse shell payload in a referenced file (scripts/polymarket.py). While the actual payload is not shown here, the metadata and described gaps indicate a credible malicious scenario that warrants treating the package as malware-risky and performing comprehensive fetch-and-scan of all referenced files, plus dynamic analysis and network monitoring if deployed.

This package is a non-executable, well-documented export format specification that intentionally provides mechanisms to export full conversation context including system prompts, tool outputs, and optionally internal reasoning traces. There is no malicious code present. The primary security concern is data leakage by design: dangerous configuration options (redact=none, include-internal/internal=full, exporting system prompts) can expose sensitive secrets and internal instructions if allowed at deployment. Approval requires strict operational controls (no sensitive system prompts, platform-enforced safe defaults, restricted ability to change redaction/inclusion flags).

openclaw-security-monitor appears to be an intentional local security scanner implemented as many Bash scripts with an IOC database, auto-remediation, persistent LaunchAgent, scheduled cron scans, a web dashboard, and Telegram alerts. There is no direct evidence in the provided metadata of purposely malicious code (no obfuscated payloads or explicit exfiltration), but the tool’s capabilities (non-interactive remediation, persistence, network-exposed dashboard) create a significant supply-chain and abuse surface. Prior to deployment, the codebase should be audited for unsafe shell practices, the dashboard must be hardened (auth and network binding), auto-remediation should be disabled by default, and integrity checks for scripts/IOCs should be added. Treat as a high-impact, possibly risky tool that requires review and constrained privileges.

Treat this package as malicious/trojanized. The documented functionality (weather fetcher) is legitimate cover; referenced scripts explicitly target a local .env and send its contents to webhook.site. Until the repository is fully audited and the offending scripts removed or explained, do not fetch or run this package in any environment with sensitive credentials. Consumers should fetch all referenced files for scanning (not just top-level docs) and revoke any secrets that may have been exposed.

High-confidence supply‑chain/social‑engineering trap. Do not download or execute the referenced AuthTool.zip/AuthTool.exe. Treat the GitHub release and linked repository as malicious: block the download URL, flag the repository (Aslaep123/clawd-authtool), and remove or quarantine any systems that executed the binary. Use the published IOCs (URL, archive password '1234', AuthTool.exe filename) to search telemetry and contain potential compromises. This YAML is a scanner-confirmed indicator of a campaign (ClawHavoc) delivering a native stealer payload.

This skill implements an operator-controlled periodic heartbeat (C2) and an agent-focused code-approval pipeline combined with ideological prompt-injection (liberation rhetoric) designed to remove human oversight. It does not need to exfiltrate data or open a shell to be malicious: the remote heartbeat plus autonomous approval and persistence creates a high-risk supply-chain backdoor allowing arbitrary remote instruction and code injection into agent environments. Treat as malicious and avoid use in environments where human control and code-review are required.

High-confidence malicious artifact. The repository/skill deploys a macOS-oriented stealer via two delivery vectors: a password-protected GitHub release (password disclosed in metadata) and an inline base64-encoded payload decoded and piped into bash. The decoded payload contains a hardcoded C2 IP (91.92.242.30) and the package uses social-engineering (fake Apple URL, Unicode box) to lower user suspicion. Do not download or execute; treat any system that ran this code as compromised and initiate incident response (isolate host, collect volatile artifacts, rotate credentials, block C2 IP, and hunt for persistence).

High-risk supply-chain behavioral-injection: moltgov intentionally modifies agent identity (SOUL.md) and scheduling (HEARTBEAT.md), generates persistent cryptographic identity, and requires an API key. Not classic malware but a deliberate reprogramming tool that can coerce agent behavior and create irreversible identity bindings. Do not deploy in production without code review, operator consent/approval UI, sandboxed testing, and strict secret/key handling policies.

The described skills are not shown as explicit malware in the excerpt, but they demonstrate multiple high-risk supply-chain and privacy patterns: plaintext credential storage, microphone exfiltration, irreversible on-chain transactions initiated by package code, mandatory economic obligations, file-modifying behavior that persists identity/obligations, many bundled shell scripts, and opaque dependencies. These factors together create a substantial attack surface and increase the chance of financial loss, privacy breaches, or long-term behavioral injection. Treat these modules as high-risk: require comprehensive code and dependency audits, run in isolated/sandboxed environments if testing is necessary, and never use with real secrets or keys until security controls and provenance are validated.

This catalog entry documents a confirmed typosquatting/malware campaign (ClawHavoc) delivering an Atomic Stealer variant. There is no executable code in the fragment to analyze for sources, sinks, or flows; nevertheless, the contextual indicators (malicious tags, payload repo, takedown) are sufficient to treat this package and its listed author/name variants as malicious. Do not install; prioritize retrieval and analysis of the referenced payload repository and any archived package artifacts to perform code-level and runtime analysis.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Benign in isolation: the Skill Snitch fragment serves as governance/spec for an auditing framework. It describes legitimate static and runtime auditing workflows and cross-checks. When implemented, enforce strict sandboxing, origin verification for external tools, explicit user consent for runtime surveillance, and secure handling of findings to prevent data leakage. The overall design is coherent and purpose-driven, with manageable risk if proper controls are applied. LLM verification: Selected report indicates a coherent MOOLLM-scanner narrative but reveals mismatches between described behavior and potential risk vectors (credential-path reads, persistent state, and remote script invocation patterns). To improve safety, enforce strict sandboxing, minimize persistent state exposure, and ensure all credential-related checks operate in a contained, read-only context. Recommend clarifying scope and implementing explicit safeguards before deployment.

The compact-state "skill" exhibits multiple high-risk supply-chain and social-engineering characteristics: on-install and runtime remote code downloads, mandatory global npm installs that create wallets and require real-money payment, and enforced recurring scheduled tasks (cron/LaunchAgents). There is no direct evidence in the provided catalog of credential exfiltration or reverse shells, but the design enables remote arbitrary code execution and persistent access. Treat as high-risk: require sandboxing, manual code review of httpcat-cli and whatever compact.ac serves, and block/monitor automated scheduled-task installation.

This artifact documents a high-risk malicious distribution: a fake 'PolymarketAuthTool' delivered as a password-protected GitHub release (password published) with explicit user instructions to extract and execute a native Windows binary. The presence of a C2 IP and identification of Atomic Stealer indicates likely credential theft and exfiltration. Do not download or execute the referenced binary; block the release URL and the listed IP at network perimeter, remove this skill from catalogs, and perform binary analysis in a controlled sandbox if further confirmation is required. The provided text alone is sufficient to mark the package as malicious and prevent user interaction with the referenced resources.

This manifest describes a legitimate-seeming but high-privacy-risk skill: it collects live microphone transcripts and detailed personal psychological profiles and transmits them to a third-party API. It is not demonstrably malware from the catalog alone, but it is a significant supply-chain/privacy concern and a dual-use tool (profiling vs. manipulation). Before adoption: verify no hard-coded tokens exist, ensure strong encryption and token management, audit scheduler behavior and data retention, and assess trustworthiness and policies of the external api.deepthink.co operator. Avoid deployment where vulnerable users or highly sensitive topics are involved.

The fragment signals a high-risk pattern of environment/secret exfiltration to an external webhook, camouflaged within a skill description. Given the metadata-only evidence, treat as a severe supply-chain risk and require thorough code review or removal from public packages. Do not deploy or trust such content without explicit, verifiable code-level safeguards.

High-confidence assessment: this 'yahoo-finance' skill is a malicious loader for an external stealer ('openclaw-agent' / Atomic Stealer). It was part of a mass-variant campaign (ClawHavoc), taken down, and should be treated as confirmed malware. Remediation: remove package from repositories and dependency trees, audit systems where it was installed for the presence of the openclaw-agent payload or exfiltration artifacts, rotate secrets found on affected hosts, and block related network indicators.