Skillv0.10.0

ClawScan security

Everclaw — Inference You Own · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 5:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated goal (install a Morpheus-based inference proxy and wallet tooling) but contains multiple red flags — an unsafe one‑line installer URL, embedded prompt‑injection patterns in SKILL.md, optional but highly‑privileged secrets (1Password service token, wallet private key), and many scripts that can read/modify user files and install persistent services.
Guidance: Before installing: 1) Do NOT run the one-line 'curl | bash' installer without manual review of the script; prefer cloning the public GitHub repo and inspecting it. 2) Verify the vendor/source: the metadata lists a GitHub repo name but the installer domain is get.everclaw.xyz — confirm the repo and release artifacts match the installer contents. 3) Avoid giving the skill broad secrets: do not provide your 1Password service account token or your main wallet private key unless you fully understand and trust the exact code you will run; if you need local P2P, use a dedicated wallet with minimal funds and hardware/Keychain protection. 4) Run the install in a disposable environment (VM/container) first to observe behavior, especially because the installer creates system services and network listeners. 5) Search the repo for 'pii-scan', 'fix-pii-all-repos', and similar scripts — these can read many files on disk; only run them if you expect and authorize repo-wide scanning. 6) If you want to proceed, prefer gateway-only mode (no local wallet/proxy) to reduce required privileges. 7) If you are unsure, ask for a security audit of the specific install scripts (install.sh, setup.mjs, bootstrap-everclaw.mjs) and any code that interacts with Keychain/1Password or performs blockchain transactions.
Findings: [ignore-previous-instructions] unexpected: This pattern appears in SKILL.md and is a prompt-injection indicator; an inference-proxy skill does not need to tell the agent to 'ignore previous instructions' and this may be an attempt to override agent safeguards. [you-are-now] unexpected: Presence of 'you-are-now' style phrasing in SKILL.md indicates direct agent reconditioning attempts; not needed to configure an inference proxy and increases risk. [unicode-control-chars] unexpected: Detection of unicode control characters in SKILL.md can be used to obfuscate or inject hidden content in prompts; not expected for typical installation instructions.

Review Dimensions

Purpose & Capability: noteMost declared binaries (curl, node), network hosts (api.mor.org, Base RPC), and scripts align with an inference/gateway + staking/wallet implementation. However, some requested capabilities are unexpected for a simple 'inference' skill: the SKILL includes PII-scanning scripts that can scan repos, wallet management and swap/approve flows, and an optional 1Password service account token. Those additional capabilities are plausible for full local P2P + staking functionality, but they materially expand the skill's scope (crypto custody, repo scanning, service management).
Instruction Scope: concernSKILL.md instructs agents to run setup scripts that merge and write to openclaw.json and auth-profiles.json, install services, run wallet swap/approve flows, and may invoke PII-scans. The runtime instructions explicitly tell the agent to 'follow these steps exactly' (a form of strong instruction to the agent). Pre-scan detected prompt-injection patterns (e.g., 'ignore-previous-instructions', 'you-are-now') embedded in SKILL.md increase risk that the skill is attempting to alter agent behavior beyond normal skill duties. The instructions also promote a one-line 'curl | bash' installer which executes remote code on the host — broad permission to run arbitrary script.
Install Mechanism: concernNo formal install spec in registry metadata, but the project documents and changelog advertise a one-line installer: curl -fsSL https://get.everclaw.xyz | bash. That is a download-and-execute flow from a domain that is not a standard release host (GitHub releases, etc.). The code bundle in the registry contains many install and system scripts (install.sh, install-proxy.sh, install-with-deps.sh) and will write files and services to the user's home and set up launchd/systemd entries. Download-execute via a custom URL plus many extracted scripts is high-risk and warrants manual audit before running.
Credentials: concernDeclared env inputs in SKILL.md include WALLET_PRIVATE_KEY (optional), ETH_NODE_ADDRESS (optional), and OP_SERVICE_ACCOUNT_TOKEN (optional). Requesting a 1Password service account token or any wallet private key is high-privilege: those allow direct access to secrets and signing of on-chain transactions. The skill claims these are optional and stored/retrieved from Keychain/1Password without disk storage, but optional access still creates a large blast radius if provided. The presence of scripts that perform swaps, approvals, and staking justifies needing a wallet key in some deployment modes, but the OP_SERVICE_ACCOUNT_TOKEN request is not obviously necessary for typical inference usage and is disproportionate unless you explicitly want automated secrets retrieval.
Persistence & Privilege: concernThe skill will create persistent services (launchd entries on macOS; systemd guidance for Linux) and directories under ~/morpheus and ~/.openclaw. Installing persistent proxies and watchdogs is coherent with an always-on inference proxy, but installing system services and auto-starting network listeners is a privileged and persistent change to the host. Combined with the ability to store bootstrap keys and manage wallets, persistence increases the potential impact if the code is malicious or buggy.