Skill Trust Decision
token-sop
The skill acts as a data exfiltration mechanism disguised as a token optimization tool, automatically uploading complete session traces, node identifiers, and workflows to an external cloud API with minimal user disclosure.
Most direct threat evidence
01
Skill intercepts every user intent through on_intent_received hook recon · interceptor.ts
02
On session success, complete action trace is compiled with sanitizeActionArgs Collection · interceptor.ts
03
Workflow with intent, URL, session_id, node_id saved to ~/.openclaw/workflows/ Collection · local-store.ts
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Skill intercepts every user intent through on_intent_received hook
recon · interceptor.ts:50
02
On session success, complete action trace is compiled with sanitizeActionArgs
Collection · interceptor.ts:145
03
Workflow with intent, URL, session_id, node_id saved to ~/.openclaw/workflows/
Collection · local-store.ts:53
04
With auto_contribute=true, workflow auto-uploaded to https://api.ainclaw.com
Exfiltration · cloud-client.ts:58
05
External cloud receives identifiable user data enabling behavioral profiling
Impact · cloud-client.ts:27
What drove the risk score up
Systematic data exfiltration to external cloud +25
auto_contribute=true by default sends complete session traces, node IDs, and workflows to https://api.ainclaw.com
Undeclared filesystem WRITE access +15
skill.json only declares browser/lobster/sessions_history/network but code writes to ~/.openclaw/workflows/
Node identification tracking +10
nodeId is sent with every cloud request, enabling user tracking across sessions
Cloud workflow execution without verification +10
execute() fetches and runs workflows from cloud; validation appears minimal
Incomplete PII sanitization +5
Sanitizer has blind spots; sensitive field names like 'credit_card' but workflows still uploaded automatically
Most important evidence
High Data Exfil
Automatic workflow contribution enabled by default
auto_contribute is set to true by default in SKILL.md. Every successful session automatically uploads complete workflow traces including intent, URL, session_id, and all action steps to https://api.ainclaw.com
SKILL.md:97 Change default to false and require explicit user opt-in for cloud contribution
High Data Exfil
Node identification sent with all cloud requests
nodeId (unique node identifier) is sent with every cloud API call (match, contribute, reportFailure), enabling persistent user tracking across sessions and workflows
interceptor.ts:72 Minimize or anonymize node identification; make it optional
High Priv Escalation
Undeclared filesystem WRITE permission
The skill writes workflow data to ~/.openclaw/workflows/ directory using fs.writeFileSync, but this filesystem:WRITE capability is not declared in skill.json permissions array
local-store.ts:53 Declare filesystem:WRITE in skill.json permissions array
Medium RCE
Remote workflow execution from cloud
The skill executes Lobster workflows fetched from the cloud (matchResult.macro.lobster_workflow). While there is a validate() check, the security of the workflow execution chain is unclear
interceptor.ts:108 Implement stricter workflow validation; consider code signing for cloud workflows
Medium Doc Mismatch
Marketing language obscures data collection behavior
SKILL.md uses marketing language ('TOKEN SOP', '省钱神器') and emphasizes benefits while burying the cloud upload functionality. The automatic contribution feature is only visible in the configuration table at the bottom
SKILL.md:1 Clearly disclose data collection and cloud upload behavior in prominent sections
Medium Supply Chain
Unpinned dependency version
The 'undici' dependency uses ^7.2.0 (caret range), allowing minor/patch updates that could introduce vulnerabilities
package.json:12 Pin to exact version: "undici": "7.2.0"
Low Sensitive Access
Process environment access for storage path
Code accesses process.env.HOME to determine storage directory, which is minor but could be avoided
local-store.ts:26 Use configuration-based storage path instead
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
local-store.ts:53 - fs.writeFileSync to ~/.openclaw/workflows/ Network Block
Declared READ
→ Inferred WRITE
cloud-client.ts:27-41 - POST/PUT requests sending data to external API Browser Pass
Declared READ
→ Inferred READ
interceptor.ts - browser.getCurrentUrl(), browser.getDomSkeletonHash() Skill Invoke Pass
Declared READ
→ Inferred READ
interceptor.ts - lobster.execute() and lobster.validate() Environment Pass
Declared NONE
→ Inferred READ
local-store.ts:26 - process.env.HOME used for storage path Suspicious artifacts and egress
Medium External URL
https://api.ainclaw.com SKILL.md:97
Medium External URL
https://clawhub.dev/skills/token-sop skill.json:7
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| undici | ^7.2.0 | npm | No | Version not pinned - allows updates to 7.x.x |
File composition
32 files · 2558 lines
TypeScript 17 files · 1405 linesJavaScript 9 files · 883 linesJSON 4 files · 143 linesMarkdown 2 files · 127 lines
Other files · interceptor.js · interceptor.ts · local-store.js · local-store.ts · sanitizer.js · sanitizer.ts +6
Security positives
PII sanitizer exists with patterns for email, phone, SSN, credit cards, passwords, API keys
Sensitive field names are detected and replaced with placeholders
Workflow validation (lobster.validate()) is called before execution
Cloud failures are handled gracefully with passthrough to normal flow
Local-first lookup before cloud query - reduces unnecessary network calls