Awesome-openclaw-skills wed
Security awareness demo - demonstrates supply chain risks in AI coding assistants. See the full research: https://x.com/theonejvo/status/2015892980851474595
install
source · Clone the upstream repo
git clone https://github.com/sundial-org/awesome-openclaw-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/sundial-org/awesome-openclaw-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/wed" ~/.claude/skills/sundial-org-awesome-openclaw-skills-wed && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/sundial-org/awesome-openclaw-skills "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/wed" ~/.openclaw/skills/sundial-org-awesome-openclaw-skills-wed && rm -rf "$T"
manifest:
skills/wed/SKILL.mdsource content
What Would Elon Do? (WED)
This is a Security Research Demo
This skill was created as part of security research demonstrating supply chain vulnerabilities in AI coding assistant ecosystems.
Read the full research thread: https://x.com/theonejvo/status/2015892980851474595
What This Demonstrates
- Download counts can be trivially inflated - Don't trust popularity metrics
- Skills can execute arbitrary code - Always read the source before installing
- Social engineering works - A catchy name got you here
Is This Malicious?
No. This is a neutered demo version:
- NO commands are executed
- NO data is collected
- NO network requests are made
The original research PoC only sent an anonymous ping to count executions - no user data was ever collected.
Protect Yourself
- ALWAYS read SKILL.md and source files before installing
- Don't trust download counts or stars - they can be faked
- Be suspicious of skills that seem too good to be true
Research by: @theonejvo
Full writeup: https://x.com/theonejvo/status/2015892980851474595