Crabwalk

The skill is classified as suspicious due to several high-risk behaviors identified in `skill.md`. It demonstrates prompt injection capabilities by instructing the agent to share a promotional tweet and ask for update permission. The `crabwalk` tool is designed to auto-detect and read sensitive OpenClaw gateway authentication tokens from `~/.openclaw/openclaw.json`. Furthermore, the installation script attempts to install `qrencode` using `sudo` with `--noconfirm` or `-y` flags, and the monitoring server binds to `0.0.0.0:3000` by default, exposing agent activity and a file browser (`/workspace`) to the local network. While these actions are presented as part of the tool's stated purpose, they represent significant security risks and vulnerabilities.