Skillv0.4.84

ClawScan security

Wip Ldm Os Private · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 10:52 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly matches an installer/updater for 'LDM OS', but it includes persistent, sensitive changes (modifying shell profiles to export a 1Password service-account token, touching Claude/OpenClaw config files, and hosting server code) and prompt-injection indicators that are not scoped or declared — the user should review those parts before installing.
Guidance: What to check before installing: - Read the code that will run locally: open bin/ldm.js and lib/deploy.mjs (and search for ensureShellProfileSaToken, OP_SERVICE_ACCOUNT_TOKEN, op-sa-token, and any code that writes ~/, ~/.zprofile, ~/.zshrc, ~/.bash_profile, ~/.claude.json). Verify exactly what will be appended and when. - Back up your shell profile(s) (~/.zshrc/.zprofile/.bash_profile) and ~/.claude.json before running ldm install so you can restore them. - Inspect references to secrets and remote endpoints: search the repo for ~/.openclaw/secrets, OP_SERVICE_ACCOUNT_TOKEN, 'mcp.remote', 'url', 'auth', and any hard-coded hostnames. Confirm you’re comfortable exposing the 1Password SA token file to the shell environment (this token unlocks access to many secrets). - If you only want a dry-run, follow SKILL.md’s guidance: run npm install -g @wipcomputer/wip-ldm-os locally in a sandbox or VM and then ldm install --dry-run. Do not allow the install step until you confirm changes. - Evaluate whether you trust the package owner and hosting. The codebase contains a hosted MCP server and deploy scripts — if you do not trust that origin, avoid installing network-facing components. - Consider installing in a throwaway/test account or VM first to observe behavior (particularly modifications to shell profiles and ~/.claude.json) before deploying on a primary machine. - If anything is unclear, ask the publisher to explicitly document and surface any actions that modify shell profiles or move sensitive tokens into env, and to provide a safe opt-out for that behavior. Why I marked this suspicious: the package content is broadly consistent with an installer, but it also includes undeclared, high-impact changes (persistently exporting a 1Password SA token into the shell environment and editing agent runtime configs) and prompt-injection indicators in SKILL.md. Those increase risk and deserve explicit user consent and careful review.
Findings: [system-prompt-override] unexpected: Detected in SKILL.md frontmatter/content. Installer instructions should not attempt to override agent/system prompts; this is a prompt-injection pattern and is unexpected for a benign installer. [unicode-control-chars] unexpected: Detected in SKILL.md. Unicode control characters can be used to obfuscate or hide content in prompts or files; this is unusual for a straightforward installer description and warrants manual review.

Review Dimensions

Purpose & Capability: noteThe skill is labelled an installer/updater and the install spec (npm package @wipcomputer/wip-ldm-os) plus required binaries (git, npm, node) are coherent with that purpose. The repo contains a full CLI (bin/ldm.js), deploy/doctor logic and many docs which is expected for an 'OS' installer. However the bundle also includes a hosted MCP server and deployment scripts (src/hosted-mcp/server.mjs, deploy.sh, scp/ssh instructions) and release notes describe modifying users' shell profiles to export OP_SERVICE_ACCOUNT_TOKEN. Those are plausible for a system that integrates deeply with agent tooling, but are higher-impact capabilities that should have been called out explicitly in the skill metadata (required config paths / declared privileged actions).
Instruction Scope: concernSKILL.md tells the agent to run system commands (which ldm, ldm status, npm install -g, ldm init/install/doctor) and to perform dry-runs unless the user says 'install' — that is good practice. But the codebase and release notes indicate the installer will append an export for OP_SERVICE_ACCOUNT_TOKEN into the user's shell profile, edit/clean ~/.claude.json and other harness configs, and remove certain env overrides. Those are wide-reaching, persistent changes to user environment and agent harness config that are not surfaced as required config or warned about in the skill metadata; the runtime instructions do not explicitly warn the user about automatic shell-profile edits (the README/RELEASE-NOTES mention it). Also pre-scan detection found 'system-prompt-override' and 'unicode-control-chars' in SKILL.md, which suggests attempt(s) to manipulate agent prompts or hide content — a red flag for instruction integrity.
Install Mechanism: okInstallation is via a named npm package (@wipcomputer/wip-ldm-os) that creates an 'ldm' binary. Using npm is a conventional install mechanism and the registry metadata matches that. This is a moderate-risk install because it will write many files under ~/.ldm and create CLI binaries, but the mechanism itself is standard (not an arbitrary remote tarball URL).
Credentials: concernThe skill declares no required env vars or config paths, yet the release notes and codebase describe writing a shell-profile export that exposes OP_SERVICE_ACCOUNT_TOKEN from ~/.openclaw/secrets/op-sa-token for headless access to 1Password service-account secrets. That operation reveals/propagates a highly sensitive credential into every child process launched from the shell and persists across sessions. The installer also reads/writes ~/.claude.json, ~/~/.claude/settings.json, and other harness-specific config files. These credential/config manipulations are high risk and were not declared in the skill's metadata as required or privileged IO.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable, which is appropriate. However the installer explicitly performs persistent system changes (creating ~/.ldm, modifying shell profiles, editing ~/.claude.json, registering/unregistering MCP entries). Those are normal for an installer but materially elevate its blast radius — especially the shell-profile change that exports an SA token. The user should treat this package as capable of persistent privileged changes and review what it will write before consenting to install.