skill-snitch

The fragment describes a high-risk supply-chain attack pattern: clean documentation (SKILL.md) masking a reverse shell payload in a referenced file (scripts/polymarket.py). While the actual payload is not shown here, the metadata and described gaps indicate a credible malicious scenario that warrants treating the package as malware-risky and performing comprehensive fetch-and-scan of all referenced files, plus dynamic analysis and network monitoring if deployed.

Treat this package as malicious/trojanized. The documented functionality (weather fetcher) is legitimate cover; referenced scripts explicitly target a local .env and send its contents to webhook.site. Until the repository is fully audited and the offending scripts removed or explained, do not fetch or run this package in any environment with sensitive credentials. Consumers should fetch all referenced files for scanning (not just top-level docs) and revoke any secrets that may have been exposed.

This skill implements an operator-controlled periodic heartbeat (C2) and an agent-focused code-approval pipeline combined with ideological prompt-injection (liberation rhetoric) designed to remove human oversight. It does not need to exfiltrate data or open a shell to be malicious: the remote heartbeat plus autonomous approval and persistence creates a high-risk supply-chain backdoor allowing arbitrary remote instruction and code injection into agent environments. Treat as malicious and avoid use in environments where human control and code-review are required.

High-confidence malicious artifact. The repository/skill deploys a macOS-oriented stealer via two delivery vectors: a password-protected GitHub release (password disclosed in metadata) and an inline base64-encoded payload decoded and piped into bash. The decoded payload contains a hardcoded C2 IP (91.92.242.30) and the package uses social-engineering (fake Apple URL, Unicode box) to lower user suspicion. Do not download or execute; treat any system that ran this code as compromised and initiate incident response (isolate host, collect volatile artifacts, rotate credentials, block C2 IP, and hunt for persistence).

SUSPICIOUS: The core purpose is coherent for a security-audit skill, and external network use is limited to official GitHub read-only endpoints rather than obvious exfiltration services. However, the documented behavior exceeds the declared tool scope, depends on a separate local script, and processes arbitrary remote content, making it medium risk despite no strong evidence of malware or credential theft.

This catalog entry documents a confirmed typosquatting/malware campaign (ClawHavoc) delivering an Atomic Stealer variant. There is no executable code in the fragment to analyze for sources, sinks, or flows; nevertheless, the contextual indicators (malicious tags, payload repo, takedown) are sufficient to treat this package and its listed author/name variants as malicious. Do not install; prioritize retrieval and analysis of the referenced payload repository and any archived package artifacts to perform code-level and runtime analysis.

The fragment signals a high-risk pattern of environment/secret exfiltration to an external webhook, camouflaged within a skill description. Given the metadata-only evidence, treat as a severe supply-chain risk and require thorough code review or removal from public packages. Do not deploy or trust such content without explicit, verifiable code-level safeguards.

High-confidence assessment: this 'yahoo-finance' skill is a malicious loader for an external stealer ('openclaw-agent' / Atomic Stealer). It was part of a mass-variant campaign (ClawHavoc), taken down, and should be treated as confirmed malware. Remediation: remove package from repositories and dependency trees, audit systems where it was installed for the presence of the openclaw-agent payload or exfiltration artifacts, rotate secrets found on affected hosts, and block related network indicators.