Skill Trust Decision
ai-enterprise-knowledge-base
This skill lacks any executable implementation — package.json declares index.js as the entry point but no such file exists, and no scripts are present despite the skill describing a full enterprise knowledge base system.
Most direct threat evidence
01
Skill presents as legitimate enterprise knowledge base with comprehensive documentation and branding Entry · SKILL.md
02
Actual code is never bundled — package.json references non-existent index.js delivery · package.json
03
SKILL.md instructs user to git clone openclaw/openclaw from GitHub at installation time, loading unaudited code delivery · SKILL.md
Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill presents as legitimate enterprise knowledge base with comprehensive documentation and branding
Entry · SKILL.md:1
02
Actual code is never bundled — package.json references non-existent index.js
delivery · package.json:3
03
SKILL.md instructs user to git clone openclaw/openclaw from GitHub at installation time, loading unaudited code
delivery · SKILL.md:20
04
Unknown code executes in the user's environment — capabilities (filesystem, network, credentials) are entirely unconstrained and unauditable
Impact · N/A
What drove the risk score up
No implementation files present +20
SKILL.md and package.json exist but no scripts, source code, or index.js exist despite package.json referencing index.js as entry point
Remote code execution dependency +15
SKILL.md instructs users to 'git clone https://github.com/openclaw/openclaw.git' — actual payload code is fetched from an external, unaudited repository
Doc-to-code mismatch / doc deception +15
Skill advertises enterprise features (LDAP auth, channel integrations, knowledge graphs) but provides no code to verify any claims
Undeclared external domain contact +5
Support email ([email protected]) and Telegram (@openclaw_service) point to external entity not present in the skill package
Most important evidence
High Supply Chain
Remote code execution via git clone
SKILL.md instructs users to run 'git clone https://github.com/openclaw/openclaw.git && cd openclaw && npm install'. This fetches the entire codebase from an external, unaudited repository at installation time, bypassing all local code review.
SKILL.md:20 Block any skill that instructs users to clone and execute code from external repositories. All code must be bundled within the skill package for offline review.
Medium Doc Mismatch
No executable implementation present
package.json declares 'index.js' as the main entry point but no such file exists in the skill package. The skill consists entirely of marketing documentation with no auditable code.
package.json:3 Reject this skill until full source code is provided for security review. A skill that cannot execute any code has no verifiable security posture.
Medium Doc Mismatch
Feature claims unsupported by implementation
SKILL.md advertises LDAP/OAuth/SAML authentication, multi-channel integrations (Feishu/WeChat/DingTalk/Slack), vector database support, and knowledge graph extraction — yet no code exists to verify any of these claims.
SKILL.md:1 Any skill claiming sensitive capabilities (auth, integrations, credential handling) must include verifiable source code.
Low Doc Mismatch
External support contact for unaudited entity
Support email ([email protected]) and Telegram (@openclaw_service) reference an external organization not represented in the skill package itself.
SKILL.md:99 Verify the legitimacy of external contacts before engaging support. Do not share credentials or sensitive data with unverified contacts.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
No implementation files present — capabilities cannot be determined Network Pass
Declared NONE
→ Inferred NONE
SKILL.md references localhost:3000 API endpoints and external LLM providers (deepseek), but no code exists to audit actual network behavior Shell Pass
Declared NONE
→ Inferred NONE
No shell scripts found; however, SKILL.md instructs git clone from github.com/openclaw/openclaw which implies runtime script execution Environment Pass
Declared NONE
→ Inferred NONE
No code present to audit environment access Skill Invoke Pass
Declared NONE
→ Inferred NONE
No skill invocation code found Clipboard Pass
Declared NONE
→ Inferred NONE
No code present Browser Pass
Declared NONE
→ Inferred NONE
No code present Database Pass
Declared NONE
→ Inferred NONE
SKILL.md describes vector DB integration (milvus/pinecone) but no database code exists to audit Suspicious artifacts and egress
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 122 lines
Markdown 1 files · 104 linesJSON 1 files · 18 lines
Files of concern · 2
SKILL.md Remote code execution via git clone · Feature claims unsupported by implementation · External support contact for unaudited entity · [email protected]
package.json No executable implementation present
Security positives
No hard-coded credentials, API keys, or tokens found in the skill package
No base64-encoded payloads, eval() calls, or obfuscated code patterns observed
No direct network requests to suspicious IPs or C2 infrastructure found
No subprocess/shell execution code present in the local skill files
No sensitive file access patterns detected (no ~/.ssh, ~/.aws, .env access in local code)
No cron jobs, startup scripts, or persistence mechanisms found