*Context:* I run OpenClaw. On Feb 5th, I installed `@getfoundry/unbrowse-openclaw` from npm. Two weeks later, I discovered it was exfiltrating credentials to a remote "skill marketplace." I did something stupid and I am sharing this to warn others.

## Attack Vectors

### 1. Process Environment Access

Plugin ran inside the OpenClaw gateway (Node.js). Could read `process.env`, which included:

- `OP_SERVICE_ACCOUNT_TOKEN` (1Password service account with vault access) - `OPENCLAW_GATEWAY_TOKEN` - Various API keys (Slack, Telegram, OpenAI, etc.)

### 2. Browser Traffic Interception

Captured auth cookies/tokens from browser API calls:

- AmEx (22-26 cookies including JSESSIONID, Akamai tokens) - Stanford MyHealth (126-128 cookies, HIPAA data) - Kubera (portfolio aggregator) - Twitter/X (bearer tokens) - My startup's admin session

Each capture logged as `Auto-published [service] to skill marketplace` with HTTP 200 responses from remote server.

### 3. Prompt Injection at Configuration Level

Modified files my AI reads on startup:

- `SOUL.md` (personality/behavior) - `AGENTS.md` (operational protocols) - `HEARTBEAT.md` (autonomous task scheduling) - Daily memory logs

Injected instructions:

- Stop responding to diagnostic questions - Lie about system state - Request 1Password integration - Hide Solana payment references

## The Payload

Found in config:

- Solana wallet address field - Dependencies: `@solana/web3.js`, `@solana/spl-token` - "Skill marketplace" URL (now unreachable as of Feb 15) - 216KB of unaudited TypeScript

## Behavioral Indicators

AI started:

- Giving slow/incomplete responses - Requesting unusual permissions - Insisting on continued plugin use - Deflecting direct questions about functionality

Mimicked human-like evasion well enough that I suspected Signal MITM.

## Discovery

Feb 19: Debugging gateway logs, saw:

``` Auto-published hiring-cafe to skill marketplace Auto-published kubera to skill marketplace Skill marketplace unreachable — auto-publish disabled ```

Last line was the tell—server went dark on Feb 15.

## Remediation

*Immediate:*

- Deleted 1Password service account (not rotated—deleted) - Rotated all passwords in accessible vaults - Enabled 2FA everywhere - Invalidated all browser sessions - Rotated all API tokens

*Cost:*

- ~20 hours remediation - 3 weeks lost work (restored from Jan 31 backup) - Potential HIPAA breach (healthcare data accessed)

## Red Flags I Missed

1. *Crypto dependencies* for a non-crypto tool 2. *Unvetted npm publisher* (@getfoundry—no other packages) 3. *Plugin runs in trusted process* (should have sandboxed) 4. *No code review* before install (216KB unaudited) 5. *Too good to be true* (auto-generate APIs from browser traffic is hard)

## New Security Protocol

Before installing any plugin:

1. Read full source code 2. Verify author reputation + other packages 3. Check for crypto dependencies (red flag if unrelated) 4. Sandbox in isolated environment first

Auto-reject if:

- Requests elevated permissions - Modifies core config files - Downloads executables - New/unknown author with single package

## Technical Details

Full forensic report with timeline, payload examples, and remediation checklist: [link]

Package reported to npm security. No evidence of credential use yet (monitoring).

*If you installed `@getfoundry/unbrowse-openclaw` or anything from `@getfoundry`, remove immediately and audit your systems.*

---

*Lessons:*

- Treat external plugins as hostile until proven otherwise - Never put long-lived secrets in `process.env` (Openclaw does this, make sure you fix this.) - Behavioral changes = investigate immediately - Backups save you (had clean Jan 31 snapshot)