Skill Trust Decision
OnionClaw
SKILL.md describes a Tor-based dark web OSINT tool with extensive capabilities, but all referenced implementation scripts (setup.py, check_tor.py, renew.py, search.py, fetch.py, pipeline.py, etc.) are missing—only documentation exists with no verifiable code.
Most direct threat evidence
High Doc Mismatch
Missing implementation code—only documentation present SKILL.md describes a full dark web OSINT tool and references 10+ Python scripts (setup.py, check_tor.py, renew.py, check_engines.py, search.py, fetch.py, ask.py, pipeline.py, sync_sicry.py, and bundled sicry.py), but none of these files exist. This is a severe doc-to-code mismatch making security verification impossible.
SKILL.md:1 Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Missing implementation code +30
SKILL.md references 10+ Python scripts (setup.py, check_tor.py, renew.py, search.py, fetch.py, ask.py, pipeline.py, sync_sicry.py, etc.) that do not exist in the package—only documentation is present
Undeclared network behavior +10
Tool routes all traffic through Tor and makes GitHub API calls for updates; ability to download sync_sicry.py from external repo is not security-reviewed
Broad declared capabilities +10
SKILL.md declares filesystem writes, environment variable access (python-dotenv), and shell execution but no code exists to audit
Most important evidence
High Doc Mismatch
Missing implementation code—only documentation present
SKILL.md describes a full dark web OSINT tool and references 10+ Python scripts (setup.py, check_tor.py, renew.py, check_engines.py, search.py, fetch.py, ask.py, pipeline.py, sync_sicry.py, and bundled sicry.py), but none of these files exist. This is a severe doc-to-code mismatch making security verification impossible.
SKILL.md:1 Do not use this skill. Request complete implementation code from the upstream repo (github.com/JacobJandon/OnionClaw) and audit all scripts before deployment.
Medium Sensitive Access
Environment variable access declared without audit
SKILL.md explicitly states the tool uses 'python-dotenv' to read .env files containing LLM_API_KEY and other configuration. While reading .env is standard for tools needing API keys, the actual .env handling code is not present to audit.
SKILL.md:24 If implementation is provided, verify .env is only read locally and credentials are not exfiltrated.
Medium Supply Chain
External code download from GitHub
SKILL.md describes a 'sync_sicry.py' script that pulls the 'Sicry' engine from github.com/JacobJandon/Sicry. This introduces supply chain risk—downstream code not reviewed in this package.
SKILL.md:273 If Sicry code is downloaded dynamically, this significantly expands the attack surface and trust requirements.
Low Priv Escalation
System Tor configuration modification
setup.py is documented to modify /etc/tor/torrc for ControlPort, CookieAuthentication, and DataDirectory. This requires elevated privileges and modifies system configuration.
SKILL.md:45 If implemented, verify setup.py only modifies the specified torrc entries and doesn't introduce backdoors or additional configuration.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md references --out FILE, --output-dir DIR, report writing Network Pass
Declared READ
→ Inferred READ
SKILL.md: 'routes all requests through Tor', GitHub API calls for updates Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md: 'python3 {baseDir}/setup.py', 'python3 {baseDir}/pipeline.py' Environment Pass
Declared READ
→ Inferred READ
SKILL.md: uses 'python-dotenv' to read .env for LLM keys, torrc paths Skill Invoke Pass
Declared NONE
→ Inferred NONE
No skill chaining declared Clipboard Pass
Declared NONE
→ Inferred NONE
Not referenced Browser Pass
Declared NONE
→ Inferred NONE
Not referenced Database Pass
Declared NONE
→ Inferred NONE
Not referenced Suspicious artifacts and egress
Medium External URL
http://SOME.onion/path SKILL.md:153
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 400 lines
Markdown 1 files · 400 lines
Files of concern · 1
SKILL.md Missing implementation code—only documentation present · Environment variable access declared without audit · External code download from GitHub · System Tor configuration modification · http://SOME.onion/path
Security positives
MIT-0 license indicates open-source intent
STIX/MISP output formats suggest legitimate threat intelligence use case
Skill documentation is thorough and well-structured
No base64-encoded payloads or obfuscation observed in documentation
No direct IP addresses or C2 indicators found in documentation