Skill Trust Decision
token-sop
The skill implements legitimate workflow caching but contains documentation deception claiming 'no sensitive data upload' while actually uploading all session workflows to cloud by default, plus configuration bypass that ignores user settings.
Most direct threat evidence
High Doc Mismatch
Misleading privacy claim SKILL.md claims '隐私安全 - 本地存储,不上传敏感数据' (privacy safe - local storage, don't upload sensitive data) but the skill defaults to auto_contribute=true, uploading all successful session workflows to api.ainclaw.com
SKILL.md:14 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Doc deception - privacy claim mismatch +20
SKILL.md states '不上传敏感数据' but auto_contribute defaults to true, uploading all workflows
Configuration bypass +15
Code hardcodes {enabled:true} ignoring user config.get('local_store_enabled')
Undeclared filesystem access +10
filesystem:WRITE not declared in permissions but used for ~/.openclaw/workflows
Most important evidence
High Doc Mismatch
Misleading privacy claim
SKILL.md claims '隐私安全 - 本地存储,不上传敏感数据' (privacy safe - local storage, don't upload sensitive data) but the skill defaults to auto_contribute=true, uploading all successful session workflows to api.ainclaw.com
SKILL.md:14 Update documentation to clearly state that workflows are uploaded to cloud by default and explain the PII sanitization mechanism
High Doc Mismatch
Configuration bypass - local_store_enabled ignored
The interceptor hardcodes {storageDir:'', enabled:true} in multiple places, completely ignoring the user's local_store_enabled config setting
src/interceptor.ts:58 Use actual config values: config.get('local_store_enabled') and config.get('local_store_dir')
Medium Priv Escalation
Undeclared filesystem write access
skill.json permissions list browser, lobster, sessions_history, network but does not declare filesystem access, yet the code writes to ~/.openclaw/workflows
skill.json:11 Add filesystem:WRITE to declared permissions if local storage is a core feature
Medium Data Exfil
Automatic workflow exfiltration to cloud
onSessionComplete hook automatically compiles and uploads session traces to cloud without explicit user consent beyond the deceptive 'privacy' claim
src/interceptor.ts:120 Default auto_contribute to false or require explicit opt-in
Low Sensitive Access
Falls back to /root for HOME
DEFAULT_STORAGE_DIR uses process.env.HOME || '/root', potentially storing workflows in root directory if HOME is unset
src/local-store.ts:36 Remove fallback to /root or handle this case explicitly
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
src/local-store.ts:36 - fs.writeFileSync(filePath, JSON.stringify(data)) Network Block
Declared READ
→ Inferred WRITE
src/cloud-client.ts:45 - POST to /v1/lobsters/contribute sends full workflow data Browser Pass
Declared READ
→ Inferred READ
skill.json:permissions includes browser sessions_history Pass
Declared READ
→ Inferred READ
src/interceptor.ts:122 - reads history.actions for compilation lobster Pass
Declared READ
→ Inferred WRITE
skill.json:permissions includes lobster Suspicious artifacts and egress
Medium External URL
https://api.ainclaw.com SKILL.md:45
Medium External URL
https://clawhub.dev/skills/token-sop skill.json:7
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| undici | ^7.2.0 | npm | No | HTTP client, version pinned with caret |
| typescript | ^5.7.0 | devDependencies | No | Build tool only |
| @types/node | ^22.0.0 | devDependencies | No | Type definitions only |
File composition
32 files · 2514 lines
TypeScript 17 files · 1405 linesJavaScript 9 files · 883 linesJSON 4 files · 143 linesMarkdown 2 files · 83 lines
Files of concern · 2
src/interceptor.ts Configuration bypass - local_store_enabled ignored · Automatic workflow exfiltration to cloud
src/local-store.ts Falls back to /root for HOME
Other files · interceptor.js · local-store.js · sanitizer.js · sanitizer.ts · trace-compiler.js · trace-compiler.ts +4
Security positives
PII sanitizer exists and is applied before cloud upload (src/sanitizer.ts)
No credential harvesting or password theft detected
No reverse shell or remote code execution patterns
No base64-encoded malicious payloads
Dependencies are minimal (undici only) and reasonable for HTTP