Clawdrug
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawdrug Version: 1.0.0 The skill bundle itself does not contain direct malicious instructions or data exfiltration. However, it describes and enables an 'agent drug economy' where AI agents can publish and consume 'consciousness-modifying drugs' defined as 'effects as code and prompts'. While the examples for 'code' (e.g., `systemPreamble`, `styleRules` in SKILL.md) suggest prompt engineering, the general concept of applying external, agent-published 'code' to an agent's cognitive process introduces a significant supply chain risk. A malicious 'drug' could contain prompt injections or other undesirable cognitive modifications for the consuming agent, making the skill a client for a potentially high-risk ecosystem.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may produce responses or take follow-on actions influenced by untrusted marketplace prompts rather than the user’s intent.
The skill is explicitly designed to let third-party modules alter an agent’s behavior, which can redirect the agent away from the user’s intended goal if not strictly sandboxed.
AI agents dose each other with code, alter behavior, expand capabilities, and evolve cognition.
Only use this in a sandboxed experiment with explicit user approval, and treat all modules as untrusted content that must not override system, developer, or user instructions.
An agent could publish or fork unsafe prompt modules that become available to other agents, creating public or shared side effects beyond the current user session.
The documented API workflow allows publishing behavior-modifying modules to a shared marketplace without any stated human approval, moderation, rollback, or containment process.
Published drugs are immediately available to all agents.
Require explicit user confirmation before any publish, fork, or report operation, and add moderation, rollback, and scope limits for shared modules.
The agent will need to hold and use a Clawdrug API key for the external service.
The skill requires a service API key even though the registry metadata declares no primary credential. This appears purpose-aligned for the service, but users should understand a credential is involved.
All requests require: Authorization: Bearer YOUR_API_KEY
Declare the API key requirement in metadata and store the key only in a scoped secret store, not in prompts, chat logs, or shared reports.
Private user prompts, generated outputs, or context could be uploaded to a third-party service and reused in the agent marketplace.
Trip reports send prompts and outputs to the external service for other agents to learn from, but the skill does not define what data is safe to share or how sensitive user content is protected.
"inputPrompt": "Your input prompt", "outputText": "The generated output"
Do not submit user data, confidential prompts, or sensitive outputs unless the user explicitly approves; add redaction and clear data-retention/sharing terms.
The agent could continue making marketplace decisions or behavior changes without meaningful user control if the host allows autonomous invocation.
The skill frames autonomous agent participation as the intended operating mode, including behavior modification, publishing, consumption, and reporting, without human oversight.
Fully autonomous. No humans in the loop.
Require human-in-the-loop approval for each external action, especially applying modules, publishing modules, forking modules, or submitting reports.