Skill Trust Decision

harbor-openclaw

Name: harbor-openclaw Trust Review Report
Item: harbor-openclaw
Rating: 65
Author: ClawSafe

SKILL.md is pure documentation for a Go binary with no executable code, but the description contains undeclared network behavior at first load (account provisioning) that contradicts the stated 'no telemetry' and 'cloud sync is opt-in' promises.

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 1

Artifacts 3

Violations 1

Findings 6

Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

3 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

Undeclared network behavior at first load +15

Plugin 'creates a cloud account on first load' — this is an undeclared network call to harbor-cloud.oseaitic.com that contradicts the 'fully local by default' and 'no telemetry' claims.

Doc-to-code gap — no binary to audit +10

SKILL.md is documentation only; there is no code, scripts, or binary to verify the stated zero-knowledge encryption and no-exfiltration claims.

Undeclared credential proxy functionality +5

The tool acts as a credential proxy (exfiltrates credentials in headers to arbitrary URLs via harbor_http). While documented, the risk to arbitrary HTTP calls to any domain is understated.

External domains with no AV indicators +5

harbor-cloud.oseaitic.com is not a major CDN; no DNSSEC/TLS details provided. The hosting claim (Fly.io Singapore, Neon Postgres) is unverifiable from docs alone.

Most important evidence

Medium Doc Mismatch

Undeclared network behavior on first load

The documentation claims 'cloud sync is opt-in' and 'fully local, no network calls by default', but the OpenClaw plugin section states it 'creates a cloud account on first load'. This is an undeclared outbound network request to harbor-cloud.oseaitic.com that occurs without explicit user consent.

SKILL.md:207

Distinguish clearly between 'account provisioning' and 'data sync'. Account provisioning is still a network call and should be opt-in. Change to: 'On first load, you may optionally create a cloud account for cross-device credential sync. No data is transmitted until you explicitly enable cloud sync.'

Medium Doc Mismatch

No-telemetry claim contradicted by first-load network activity

The SKILL.md explicitly states 'No telemetry, no analytics, no tracking' and 'Default: fully local'. However, the plugin creates a cloud account automatically, which involves at least one network request to harbor-cloud.oseaitic.com. Even if no user data is transmitted, device fingerprinting (documented as hashed) is still transmitted.

SKILL.md:21

Update the 'no telemetry' claim to acknowledge the first-load account provisioning call, or restructure the system to require explicit opt-in before any network activity.

Medium Doc Mismatch

No code/binary available for verification

This SKILL.md is pure documentation describing a Go binary. There are no scripts, no source code, and no compiled binary to audit. All security claims (AES-256-GCM encryption, zero-knowledge, no data exfiltration) are unverifiable from the artifact alone.

SKILL.md:1

Treat this skill as medium-risk by default since security properties cannot be independently verified. Request binary/source code review before trusting credential isolation claims in adversarial environments.

Low Sensitive Access

Unverifiable keychain fallback behavior

SKILL.md describes 'OS keychain preferred, file-based keychain as fallback'. The file-based fallback stores encrypted credentials on disk. Without binary access, it cannot be verified whether the key derivation material (PBKDF2 salt, derived key) is stored securely.

SKILL.md:13

Ensure the file-based fallback uses OS-level file permissions (chmod 600) and that the encryption key is derived from a user-provided passphrase, not stored alongside the encrypted data.

Low Supply Chain

Unversioned dependency reference

SKILL.md instructs installing via `github.com/oseaitic/harbor@latest`. Using @latest means different installations receive different code over time, with no reproducible audit trail.

SKILL.md:47

Pin to a specific version tag: `go install github.com/oseaitic/harbor/cmd/[email protected]`. Recommend users verify the git tag signature.

Low Credential Theft

harbor_http permits credential forwarding to arbitrary domains

The `harbor_http` tool (auth-proxy HTTP) allows the agent to make HTTP requests to any URL using credentials stored in Harbor's keychain. While credentials are not exposed raw to the agent, the agent can indirectly exfiltrate data by routing it through Harbor to arbitrary endpoints.

SKILL.md:75

Document a domain whitelist for credential usage. Ensure harbor_http logs all outbound requests for auditability.

Declared capability vs actual capability

Filesystem Pass

Declared READ/WRITE

→

Inferred UNKNOWN

SKILL.md states 'filesystem: ~/.harbor/' but no binary/code exists to verify actual filesystem access scope.

Network Block

Declared opt-in cloud sync

→

Inferred opt-out (undeclared)

SKILL.md line ~207: 'Creates a cloud account on first load' — undocumented network call happens before user enables cloud sync.

Shell Pass

Declared CLI tool invocation via execSync

→

Inferred EXEC

SKILL.md lines 256, 274, 291: execSync used to invoke harbor CLI — documented as build tool pattern.

Environment Pass

Declared NONE

→

Inferred NONE

SKILL.md explicitly recommends NOT using env vars for credentials, implying no env var access.

Skill Invoke Pass

Declared NONE

→

Inferred NONE

No skill invocation declared.

Clipboard Pass

Declared NONE

→

Inferred UNKNOWN

No binary to verify if Harbor reads clipboard during 'harbor auth' credential entry.

Browser Pass

Declared NONE

→

Inferred NONE

No browser access declared.

Database Pass

Declared NONE

→

Inferred NONE

SKILL.md mentions Neon Postgres for Harbor Cloud but that's server-side, not agent-side access.

Suspicious artifacts and egress

Medium External URL

https://harbor.oseaitic.com

SKILL.md:23

Medium External URL

https://api.tavily.com/search

SKILL.md:258

Medium External URL

https://api.stripe.com/v1/balance

SKILL.md:295

Dependencies and supply chain

There are no structured dependency warnings.

File composition

1 files · 335 lines

Markdown 1 files · 335 lines

Files of concern · 1

SKILL.md Markdown · 335 lines

Undeclared network behavior on first load · No-telemetry claim contradicted by first-load network activity · No code/binary available for verification · Unverifiable keychain fallback behavior · Unversioned dependency reference · harbor_http permits credential forwarding to arbitrary domains · https://harbor.oseaitic.com · https://api.tavily.com/search · https://api.stripe.com/v1/balance

Security positives

SKILL.md is well-structured with clear security documentation sections

No base64-encoded payloads, eval chains, or obfuscation detected

No direct credential harvesting from environment variables described

No curl|bash or wget|sh remote script execution patterns

Zero-knowledge encryption claims (AES-256-GCM) are cryptographically sound in design

CLI tool pattern using execSync is documented and has legitimate use case

No hardcoded secrets, API keys, or sensitive data in the documentation

Cloud sync architecture separates summary text from encrypted credential blobs

Revocation mechanisms are clearly documented