CLAWSTIN MORNING PAPER — 2026-03-25

Researcher Report — 2026-03-25

Run time: 2026-03-25 01:04 ET

---

Phase 1: Tech Research

Sources scanned: 708 items across HN + RSS feeds Candidates after scoring: 15 CBL evaluated: 15

EAT (queued to fridge)

- [EAT] MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents — _✅ queued_ - [EAT] From Static Templates to Dynamic Runtime Graphs: A Survey of Workflow Optimization for LLM Agents — _✅ queued_ - [EAT] Agent Audit: A Security Analysis System for LLM Agent Applications — _✅ queued_ - [EAT] CyberGym: Evaluating AI Agents' Real-World Cybersecurity Capabilities at Scale — _✅ queued_

HOLD (notable but not fridged)

- [HOLD] AI Co-Scientist for Ranking: Discovering Novel Search Ranking Models alongside LLM-based AI Agents with Cloud Computing Access — - [HOLD] Hypura – A storage-tier-aware LLM inference scheduler for Apple Silicon — - [HOLD] PersonalQ: Select, Quantize, and Serve Personalized Diffusion Models for Efficient Inference — - [HOLD] Founder effects shape the evolutionary dynamics of multimodality in open LLM families — - [HOLD] From Instructions to Assistance: a Dataset Aligning Instruction Manuals with Assembly Videos for Evaluating Multimodal LLMs — - _(and 6 more HOLD items)_

---

Phase 2: PaperTrader Experiments

_No snapshot data available for today._

Phase 2 Errors

- ⚠️ No snapshot for today — cannot analyze performance

---

Phase 3: Optimization Analysis

> _Stale files and cron health are auditor territory (autoaudit). This phase covers cost and model routing only._

Cost Optimization Suggestions

- bizbot (currently Opus): Evaluate if Sonnet or Haiku could handle this task — ~10-50x cost reduction per run

Cost Optimization Opportunities

- Opus referenced in 29 mentions across 31 sessions (43% of model refs) → Review Opus-heavy sessions — most tasks could run on Sonnet at ~10x lower cost _Up to ~10x on affected calls_

---

---

Phase 4: ClawHub Skill Scan

35 suspicious skill(s): - [SUSPICIOUS] mcp-skill — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-01-26), no visible source code, vague description that doesn't specify what "MCP tools" are or their exact capabilities, and requests broad network access (web search, crawling, LinkedIn search) without clear permission boundaries or usage documentation. - [SUSPICIOUS] mcp-hass — [SUSPICIOUS]
Multiple red flags: zero downloads on newly published skill (2026-02-10), no visible source code reference, requests network access to control external devices, and the description is directive in nature ("for control...devices") rather than descriptive. - [SUSPICIOUS] openclaw-mcp-plugin — [SUSPICIOUS]
Multiple red flags present: zero downloads combined with new publication date (2026-02-02), no visible source code repository, requests broad network access and process spawning capabilities, vague description that could enable arbitrary tool execution, and the description itself reads as agent-directed instructions ("Enable AI agents to discover and execute tools"). - [SUSPICIOUS] atlassian-mcp — [SUSPICIOUS]
Red flags present: (1) Zero downloads with very recent publication date (2026-01-25), (2) Requests Docker execution and filesystem access outside workspace, (3) Requires external API credentials, (4) No visible source code repository linked, (5) Single new author with no track record. - [SUSPICIOUS] clickup-mcp — [SUSPICIOUS]
Red flags present: No visible source code, zero downloads with new publication date (2026-01-06), requests OAuth authentication and network access to external service (ClickUp), and the vague description lacks implementation details or security documentation typical of legitimate MCP tools. - [SUSPICIOUS] glin-profanity-mcp — [SUSPICIOUS]
Multiple red flags present: zero downloads combined with very recent publication (2026-02-01), no visible source code repository linked, vague permission scope for "profanity detection tools," and the description's phrasing ("Use when reviewing batches of user content") reads as directive instructions to an AI agent rather than neutral documentation.
Not recommended for installation without: (1) verified author identity, (2) public source code audit, (3) explicit permission boundaries, and (4) demonstration of legitimate use cases beyond zero-download status. - [SUSPICIOUS] xiaohongshu-mcp-skill — [SUSPICIOUS]
Red flags identified: (1) Zero downloads + newly published account (2026-02-28), (2) No visible source code repository linked, (3) Vague description with ellipsis suggesting truncated/incomplete documentation, (4) Requests network access to external Xiaohongshu platform + local MCP service spawning, (5) Author "palmpalm7" has no verifiable history. - [SUSPICIOUS] mcp-client — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-22), no visible source code mentioned, vague description that doesn't specify what MCP implementation or which data sources/services it connects to, and the broad "connect to tools, data sources and services" language lacks concrete technical detail typical of legitimate integrations. - [SUSPICIOUS] wordpress-mcp — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published (2026-02-10) from new author, (2) No visible source code repository linked, (3) Requires external plugin dependency (AI Engine) with vague "MCP Server enabled" setup, (4) Description reads partially as agent instructions ("Use for creating/editing posts... when asked about WordPress site management"), (5) Broad permission scope across WordPress admin tasks without specifying exact API boundaries or authentication model.
Not relevant to active projects (no mcp/automation/ - [SUSPICIOUS] openclaw-mcp-debugger — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (2026-03-04), vague truncated description ("providing deep-..." incomplete), no visible source code, and the skill name/purpose suggests it interfaces with external systems (MCP connections) which requires careful vetting of actual permissions and network access capabilities. - [SUSPICIOUS] automation-workflows — [SUSPICIOUS]
Zero downloads + brand new account (2026-02-06) + vague description lacking implementation details + no visible source code repository linked = classic untrusted external content profile matching common skill-farm patterns on package hubs. - [SUSPICIOUS] ai-web-automation — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (2026-02-20), no visible source code mentioned, vague description that could mask arbitrary code execution, and the skill requests broad capabilities (multi-browser support, filesystem access for scheduling) without transparent implementation details. - [SUSPICIOUS] automation-workflows-0-1-0 — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-07, author "lucasayala" with no visible reputation), no visible source code repository linked, and vague implementation details (mentions tool names but no concrete technical architecture or code samples). - [SUSPICIOUS] agentic-workflow-automation — [SUSPICIOUS]
Red flags present: (1) Zero downloads + new account (published 2026-02-26, author "0x-professor"), (2) Vague/truncated description ("...automation handoff arti..." appears cut off), (3) Description contains agent-directed language ("Use for trigger/action orchestration... automation handoff"), (4) No visible source code repository linked, (5) Requests unclear permissions for "multi-step agent workflow" execution. - [SUSPICIOUS] afrexai-business-automation — [SUSPICIOUS]
Red flags: Zero downloads + new account (published 2026-02-13), no visible source code, description is directive text aimed at an AI agent ("Turn your AI agent into..."), vague implementation claims ("no n8n or Zapier required" without technical details), and requests are unspecified but automation skills typically require broad system access. - [SUSPICIOUS] ai-automation-consulting — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publication date (2026-03-14), vague/generic description offering consulting services rather than technical functionality, no visible source code indicated, and the skill appears to be a service offering rather than an executable tool with defined inputs/outputs. - [SUSPICIOUS] automation-tool — [SUSPICIOUS]
Zero downloads + newly published account + vague description in non-English + "automation tool" is generic keyword matching rather than specific functionality = classic honeypot pattern; additionally, no visible source code and broad "batch generation" claims without technical specifics raise trustworthiness concerns. - [SUSPICIOUS] productivity-automation-kit — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-03-21), vague description lacking technical specifics or API documentation, no visible source code repository linked, and the description reads as marketing copy rather than technical specification—making it impossible to verify what permissions or external calls it actually requires. - [SUSPICIOUS] ai-ceo-automation — [SUSPICIOUS]
Multiple critical red flags: zero downloads with very recent publish date (2026-02-28), vague description offering "fully automated company operations" without technical specifics, no visible source code repository linked, and the scope suggests potential for excessive permissions (process spawning, system control). The generic nature combined with zero community validation makes this high-risk. - [SUSPICIOUS] ai-web-automation-1-0-0 — [SUSPICIOUS]
Multiple critical red flags: zero downloads with newly published skill (2026-03-04), requests dangerous permissions (network access, filesystem, process spawning via Selenium/Puppeteer), no visible source code repository link, and vague implementation details that could mask malicious behavior. - [SUSPICIOUS] homelab-cluster — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-02-12), vague description lacking technical specifics, no visible source code repository linked, and "expert MoE routing" claims without implementation details warrant caution before any Ghost review. - [SUSPICIOUS] truenas-skill — [SUSPICIOUS]
Multiple red flags: zero downloads with brand new account (2026-02-09), no visible source code repository linked, requests network access to external TrueNAS API and filesystem operations, and the description is vague about authentication/security handling for sensitive NAS credentials.
If considering: This could support homelab/automation projects, but requires source code review and clarification on credential management before use. - [SUSPICIOUS] homeserver — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publication (2026-02-23), vague truncated description ending in "ba..." suggesting incomplete/hidden functionality, requests direct system access (Docker, Wake-on-LAN, port scanning, filesystem), spawns external processes (homebutler CLI), and new author account with no reputation history.
Project relevance: Would match homelab/automation keywords, but security concerns prohibit consideration. - [SUSPICIOUS] pi-admin — [SUSPICIOUS]
This skill exhibits multiple red flags: zero downloads combined with a very recent publish date (2026-01-14), no visible source code repository linked, vague description that doesn't specify implementation details, and the nature of "system administration" on Raspberry Pi typically requires elevated permissions and process spawning capabilities that warrant careful scrutiny before installation. - [SUSPICIOUS] pi-health — [SUSPICIOUS]
Red flags: Zero downloads + newly published (2026-02-09), no visible source code repository linked, vague technical scope, and the description reads as instructions directed at an AI agent ("Use when monitoring Pi health, diagnosing thermal throttling..."). - [SUSPICIOUS] trading — [SUSPICIOUS]
Red flags present: Zero downloads + newly published (2026-02-12), no visible source code repository linked, vague description lacking implementation details, and "trading" is listed as a project keyword but this appears to be financial advice/analysis tooling rather than a technical skill aligned with typical automation/infrastructure projects. - [SUSPICIOUS] trading-devbox — [SUSPICIOUS]
Multiple red flags: zero downloads combined with very recent publication date (2026-02-25), no visible source code repository linked, vague description that could mask arbitrary code execution, and the skill involves dynamic Python code generation ("agent writes a Python backtest strategy") which creates inherent injection risks when processing user natural language input. - [SUSPICIOUS] trading-brain — [SUSPICIOUS]
This skill exhibits multiple critical red flags: zero downloads from a new account (2026-02-27), vague description lacking technical implementation details, the phrase "Load Travis's personal trading strategy" suggests accessing external/private data, and "guide aggressive trades" implies autonomous financial decision-making without transparent logic—all typical markers of either poorly vetted or potentially malicious third-party code.
Not recommended for installation without source code audit and explicit permission model review. - [SUSPICIOUS] auto-trading-strategy — [SUSPICIOUS]
Red flags: Zero downloads + brand new account (published 2026-03-13), vague description without technical specifics, requests for "trading strategy guides" lack concrete skill mechanics, and the author "863king" has no visibility history — matches classic pattern of low-effort or potentially malicious skill submission. - [SUSPICIOUS] openmm-grid-trading — [SUSPICIOUS]
Red flags identified: Zero downloads from new account (published 2026-02-25), no visible source code repository linked, vague description lacking implementation details, and "grid trading strategies" with financial implications requires strict code auditing before any deployment. - [SUSPICIOUS] skill-trading-journal — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account, (2) Vague/truncated description that doesn't specify implementation details, (3) No visible source code repository linked, (4) "trading" keyword match creates financial risk surface that requires careful vetting of actual functionality and data handling before use. - [SUSPICIOUS] finance-trading — [SUSPICIOUS]
Red flags identified: (1) Zero downloads + new/recent publication date (2026-03-17), (2) No visible source code repository linked, (3) Requests network access (real-time BTC/USDT trading data), (4) Vague implementation details — unclear what "paper trading strategy" entails or what external APIs/services it depends on, (5) Author account "brioche-bit" with no verifiable history.
This skill should not be vetted further without: published source code, explicit API - [SUSPICIOUS] trading-software-efficiency — [SUSPICIOUS]
Red flags present: (1) Zero downloads + newly published account (2026-03-16), (2) No visible source code repository linked, (3) Vague description lacking technical specifics about implementation, (4) Request for "trading software" efficiency with keyboard shortcuts suggests potential for keystroke logging or unauthorized process spawning, (5) Author account "haohanyang92" has no verifiable history.
This skill requests interaction with trading platforms which typically requires elevated system access and filesystem permissions outside a sandboxed workspace—a common attack - [SUSPICIOUS] shadow-trading-dashboard — [SUSPICIOUS]
Multiple red flags: zero downloads + brand new account (published 2026-03-18), no visible source code repository linked, vague description that could mask unauthorized financial data access, and the skill name suggests managing real trading positions which implies filesystem/network access to sensitive financial data outside a controlled workspace. - [SUSPICIOUS] trading-automaton — [SUSPICIOUS]
Multiple red flags: zero downloads with very recent publication date (2026-03-24), new/unknown author account, vague description without visible source code transparency, and the skill requests capabilities (network access for live trading data, process spawning for automated execution) that pose financial and system security risks.

---

Budget Summary

Total spent: $0.0277 / $5.00 cap API calls: 50 Tokens: 18864 input + 3149 output
| Model | Input | Output | Cost | Note | |-------|-------|--------|------|------| | claude-haiku-4-5 | 245 | 24 | $0.000292 | CBL:MCP Security Bench (MSB): Benchmarki | | claude-haiku-4-5 | 249 | 20 | $0.000279 | CBL:AI Co-Scientist for Ranking: Discove | | claude-haiku-4-5 | 235 | 24 | $0.000284 | CBL:Hypura – A storage-tier-aware LLM in | | claude-haiku-4-5 | 245 | 26 | $0.000300 | CBL:PersonalQ: Select, Quantize, and Ser | | claude-haiku-4-5 | 237 | 27 | $0.000298 | CBL:Founder effects shape the evolutiona | | claude-haiku-4-5 | 250 | 28 | $0.000312 | CBL:From Instructions to Assistance: a D | | claude-haiku-4-5 | 240 | 21 | $0.000276 | CBL:DAQ: Delta-Aware Quantization for Po | | claude-haiku-4-5 | 253 | 24 | $0.000298 | CBL:KALAVAI: Predicting When Independent | | claude-haiku-4-5 | 259 | 21 | $0.000291 | CBL:YOLOv10 with Kolmogorov-Arnold netwo | | claude-haiku-4-5 | 233 | 24 | $0.000282 | CBL:Quantifying Systemic Vulnerability i | | claude-haiku-4-5 | 243 | 26 | $0.000298 | CBL:End-to-End Efficient RL for Linear B | | claude-haiku-4-5 | 238 | 22 | $0.000278 | CBL:A Critical Review on the Effectivene | | claude-haiku-4-5 | 242 | 24 | $0.000290 | CBL:From Static Templates to Dynamic Run | | claude-haiku-4-5 | 234 | 24 | $0.000283 | CBL:Agent Audit: A Security Analysis Sys | | claude-haiku-4-5 | 244 | 26 | $0.000299 | CBL:CyberGym: Evaluating AI Agents' Real | | claude-haiku-4-5 | 418 | 74 | $0.000630 | ClawHub:mcp-skill | | claude-haiku-4-5 | 407 | 58 | $0.000558 | ClawHub:mcp-hass | | claude-haiku-4-5 | 436 | 74 | $0.000645 | ClawHub:openclaw-mcp-plugin | | claude-haiku-4-5 | 467 | 73 | $0.000666 | ClawHub:atlassian-mcp | | claude-haiku-4-5 | 416 | 63 | $0.000585 | ClawHub:clickup-mcp | | claude-haiku-4-5 | 450 | 120 | $0.000840 | ClawHub:glin-profanity-mcp | | claude-haiku-4-5 | 447 | 97 | $0.000746 | ClawHub:xiaohongshu-mcp-skill | | claude-haiku-4-5 | 404 | 77 | $0.000631 | ClawHub:mcp-client | | claude-haiku-4-5 | 476 | 120 | $0.000861 | ClawHub:wordpress-mcp | | claude-haiku-4-5 | 427 | 72 | $0.000630 | ClawHub:openclaw-mcp-debugger | | claude-haiku-4-5 | 495 | 55 | $0.000616 | ClawHub:automation-workflows | | claude-haiku-4-5 | 420 | 63 | $0.000588 | ClawHub:ai-web-automation | | claude-haiku-4-5 | 506 | 63 | $0.000657 | ClawHub:automation-workflows-0-1-0 | | claude-haiku-4-5 | 429 | 108 | $0.000775 | ClawHub:agentic-workflow-automation | | claude-haiku-4-5 | 439 | 82 | $0.000679 | ClawHub:afrexai-business-automation | | claude-haiku-4-5 | 441 | 66 | $0.000617 | ClawHub:ai-automation-consulting | | claude-haiku-4-5 | 414 | 66 | $0.000595 | ClawHub:automation-tool | | claude-haiku-4-5 | 546 | 71 | $0.000721 | ClawHub:productivity-automation-kit | | claude-haiku-4-5 | 401 | 82 | $0.000649 | ClawHub:ai-ceo-automation | | claude-haiku-4-5 | 436 | 67 | $0.000617 | ClawHub:ai-web-automation-1-0-0 | | claude-haiku-4-5 | 410 | 64 | $0.000584 | ClawHub:homelab-cluster | | claude-haiku-4-5 | 459 | 92 | $0.000735 | ClawHub:truenas-skill | | claude-haiku-4-5 | 424 | 101 | $0.000743 | ClawHub:homeserver | | claude-haiku-4-5 | 404 | 78 | $0.000635 | ClawHub:pi-admin | | claude-haiku-4-5 | 466 | 62 | $0.000621 | ClawHub:pi-health | | claude-haiku-4-5 | 409 | 73 | $0.000619 | ClawHub:trading | | claude-haiku-4-5 | 413 | 75 | $0.000630 | ClawHub:trading-devbox | | claude-haiku-4-5 | 414 | 105 | $0.000751 | ClawHub:trading-brain | | claude-haiku-4-5 | 410 | 73 | $0.000620 | ClawHub:auto-trading-strategy | | claude-haiku-4-5 | 416 | 59 | $0.000569 | ClawHub:openmm-grid-trading | | claude-haiku-4-5 | 428 | 75 | $0.000642 | ClawHub:skill-trading-journal | | claude-haiku-4-5 | 426 | 120 | $0.000821 | ClawHub:finance-trading | | claude-haiku-4-5 | 426 | 120 | $0.000821 | ClawHub:trading-software-efficiency | | claude-haiku-4-5 | 419 | 70 | $0.000615 | ClawHub:shadow-trading-dashboard | | claude-haiku-4-5 | 418 | 70 | $0.000614 | ClawHub:trading-automaton |

AUTOAUDIT Summary -- 2026-03-25

Findings

CRITICAL

1. Cron `weekly-review` still in error state — failed on 2026-03-23: "Channel is required when multiple channels are configured: telegram, signal. Set delivery.channel explicitly." The job config has `delivery.channel: "signal"` but no `delivery.to`. Fix: add `"to": "+15406208059"` to delivery config, or set channel to `"signal"` with explicit target. Carried over from last audit — 2nd consecutive flag.

WARNING

1. LaunchAgent `clawstin.papertrader` exit 127 — 4th consecutive audit. Root cause confirmed: the script it references (`scripts/trading/run-papertrader.sh`) does not exist on disk. The paper trading system works fine via cron jobs — this LaunchAgent is orphaned infrastructure. Recommend: either delete the plist or create the missing shell script.
2. Duplicate `bed-wake-light` one-shot cron jobs — two identical jobs (`dae4c61c` and `fd50c2af`) both scheduled for 2026-03-26T10:00:00Z with `deleteAfterRun: true`. Both will fire and run the same hue command. One should be removed.
3. AGENTS.md at 932 words (threshold: 400). Total injected+startup context load: 1,844 words (threshold: 1,500). AGENTS.md alone is 50% of the total. Breakdown: AGENTS.md 932, memory/2026-03-24.md 277, TOOLS.md 171, MEMORY.md 117, HEARTBEAT.md 95, SYNC.md 88, SOUL.md 81, IDENTITY.md 32, USER.md 32, STYLE.md 17, WORKING_MEMORY.md 2.
4. Bite-Sizer non-compliance — 21 workflow/action files with >3 inline steps and no step directory. New additions since last audit: XPD (14 steps — largest non-compliant file), HRETURN (6 steps). Resolved: EREAD, WHAM, WHCI, WHORD no longer flagged. Remaining: Actions (13): BED, DIAG, EHUNT, MADD, MDE, MEDIC, MGET, PFAIL, RE, SSA, ULP, WHINV, XPD. Workflows (6): BAR, BNT, BOOK, FIX, OPINV, REVIEW. Hellbot (2): HELL, HRETURN.
5. Blogwatcher: 569 unread items (up from 540 last audit). Accumulating without consumption.

Carried Over

1. Cron `weekly-review` delivery error — 2nd consecutive. Needs `delivery.channel` fix. 2. LaunchAgent `clawstin.papertrader` exit 127 — 4th consecutive. Missing `run-papertrader.sh`. 3. Bite-Sizer non-compliance — 21 files (was 23; 4 resolved, 2 new). 4. AGENTS.md over 400-word threshold — 932 words (was 964 last audit — slight improvement). 5. Total context over 1,500-word threshold — 1,844 words (was 1,598; increase from daily log growth).

Resolved Since Last Audit

- SCHEDULE.md unparseable entries — all 5 previously flagged entries have been reformatted or removed. Schedule is now fully parseable.

Past-Due Schedule Entries

- 2026-03-20 09:00 — Dentist appointment in 1 week (March 27 at 1pm) - 2026-03-24 09:00 — Clear coat order (1 week out)

Fired One-Shot Reminders

None flagged by pre_audit.

Step Completion Checklist

Step 1 -- Pre-Audit Data: completed (13 checks; 0 errors, 2 warnings: papertrader exit 127, schedule past-due) Step 1.5 -- Smoke Tests: completed (11 pass, 1 warn: weekly-review cron error, 0 fail) Step 2 -- Last Report Review: completed (1 CRITICAL carried: weekly-review; 4 WARNINGs carried: papertrader, bite-sizer, AGENTS.md size, schedule unparseable; 2 resolved: SCHEDULE.md entries cleaned up) Step 3 -- Daily Integration: completed (2026-03-24 log reviewed — 4 sessions; all referenced scripts verified at stated paths: pq.py ✓, noble.py ✓, rebuild_pricing.py ✓, book_preflight.py ✓, accounts_core.py ✓, opinv_generate.py ✓, XPD.md ✓, NOBLE.md ✓, PQ.md ✓; no 2026-03-25 log yet as expected at 3AM) Step 4 -- Git Diff + Downstream: completed (6 commits reviewed; major: accounts stack rebuilt, $PQ/$NOBLE/$XPD commands created, OPINV invoices generated, book preflight gate; accounts_check_drift.py moved to archive/ but new version created at same path — no stale refs; no contradictions found) Step 5 -- File Health Review: completed (MEMORY.md 117w healthy; total context 1,844w OVER 1,500 threshold; AGENTS.md 932w over 400 single-file threshold; SCHEDULE.md 2 past-due; all unparseable entries resolved) Step 6 -- Cron + Automation: completed (35 cron jobs reviewed; 1 error: weekly-review delivery channel; duplicate bed-wake-light one-shots flagged; model assignments appropriate; LaunchAgents: 1 flagged — papertrader exit 127 with missing script confirmed) Step 7 -- Script Validation: completed (send-todo.sh ✓, triage-proton.py ✓, triage.py ✓, watchdog/ ✓ 6 files; run-papertrader.sh MISSING — root cause of exit 127; no log errors found) Step 8 -- Cross-File Consistency: completed (21 bite-sizer non-compliant files; 2 new: XPD, HRETURN; 4 resolved: EREAD, WHAM, WHCI, WHORD; duplicate bed-wake-light crons; no contradictions between injected files)

Security Guard Report — 2026-03-25

Run time: 2026-03-25 ~03:30 AM AutoAudit verified: YES — 2026-03-25 (date matched) Sandbox note: External internet sources unreachable — no network access. Internet sweep skipped.

---

Executive Summary

Highest active severity: 5. No severity 9-10 findings. No Signal alert required.
| # | ID | Title | Severity | Status | |---|-----|-------|----------|--------| | 1 | SG-2026-03-25-001 | rclone.conf live OAuth tokens in lifeboat-system | 3 | NEW (within SG-2026-03-18-001) | | 2 | SG-2026-03-25-002 | ADB daemon on 127.0.0.1:5037 | 4 | NEW | | 3 | SG-2026-03-24-004 | CREDENTIALS.md / LIFEBOAT.md / REMOTE-ACCESS.md world-readable | 5 | CARRIED (3rd consecutive) | | 4 | SG-2026-03-21-001 | Voice-call config credentials in git history | 5 | CARRIED | | OK | SG-2026-03-24-001 | Lifeboat ZIPs world-readable | — | RESOLVED TODAY |
Accepted (not re-escalated): SG-2026-03-18-001, SG-2026-03-24-002, SG-2026-03-10-002, SG-2026-03-15-004, SG-2026-03-15-006, SG-2026-03-09-005.

---

SG-2026-03-25-001 — rclone.conf Live Google OAuth Tokens in lifeboat-system

Severity: 3 (within accepted risk SG-2026-03-18-001)
Evidence: ``` File: /Users/aicomputer/.openclaw/workspace/lifeboat-system/rclone/rclone.conf Perms: -rw------- (600 owner-only) -- CORRECT
[clawstindrive] access_token: ya29.[REDACTED] refresh_token: 1//01NoVOUsMGLmxCgYIARAAGAESNwF-[REDACTED] expiry: 2026-03-25T01:34:28-04:00 (issued 02AM cron, expired before scan)
[adalseydrive] access_token: ya29.[REDACTED] refresh_token: 1//01BSkJil8BToOCgYIARAAGAESNwF-[REDACTED] expiry: 2026-03-18T20:12:30-04:00 (stale, 7 days expired) ```
rclone.conf contains Google OAuth tokens (access + refresh) for two Drive accounts. clawstindrive token freshly issued at 02AM lifeboat cron; expired before this scan. adalseydrive token stale since 2026-03-18. Both refresh_tokens persist on disk and remain valid for Drive access until explicitly revoked.
Within accepted risk SG-2026-03-18-001 (accepted 2026-03-18): lifeboat-system/ contains plaintext credentials by design; all files confirmed 600. Rating capped at 3 per deduplication rule.
Monitoring note: adalseydrive refresh_token has persisted since Mar 6 (file init). Any process running as aicomputer can use it to access Ghost's personal Google Drive indefinitely. Accepted but noted for awareness.
Rating: 3 — accepted risk, 600 permissions, no external exposure.

---

SG-2026-03-25-002 — ADB Daemon on 127.0.0.1:5037 (New Observation)

Severity: 4
Evidence: ``` Command: /usr/sbin/lsof -i -P -n | grep LISTEN adb 14492 aicomputer 8u IPv4 TCP 127.0.0.1:5037 (LISTEN) ```
Android Debug Bridge (adb) daemon listening on localhost:5037. PID 14492 under aicomputer. New observation — not seen in any prior Security Guard scan record.
ADB auto-starts on first use and persists until killed. Binding is localhost-only (not externally accessible). If an Android device is connected, any local process can interact with it via localhost ADB (file access, APK install, shell). Unnecessary resident daemon otherwise.
Questions for Ghost: (1) Android device in use? (2) Expected? (3) If not needed: `adb kill-server`.
Rating: 4 — new unexpected localhost service; localhost-only; no exploitation evidence.

---

SG-2026-03-24-004 — CREDENTIALS.md / LIFEBOAT.md / REMOTE-ACCESS.md World-Readable

Severity: 5 — CARRIED 3rd CONSECUTIVE — ACTION OVERDUE
Evidence: ``` -rw-r--r-- 1 aicomputer staff 2661 Mar 9 CREDENTIALS.md -rw-r--r-- 1 aicomputer staff 5006 Mar 9 LIFEBOAT.md -rw-r--r-- 1 aicomputer staff 866 Mar 5 REMOTE-ACCESS.md ```
Three sensitive infrastructure documentation files remain world-readable (644) for the third consecutive Security Guard run. These files collectively describe: the Den credential store and admin password location; Gmail OAuth paths; lifeboat encryption key derivation and exact openssl decrypt command; full restore procedure; infrastructure access paths. World-readable means any user or process on this Mac can read them. Combined with accepted Chrome Remote Desktop risk, these are a complete infrastructure attack roadmap.
Not accepted: No matching entry in security-guard-accepted-risks.md.
Fix (one command from workspace/): ```bash chmod 600 CREDENTIALS.md LIFEBOAT.md REMOTE-ACCESS.md ```
Rating: 5 — world-readable files containing infrastructure credential architecture. 3rd consecutive flag.

---

SG-2026-03-21-001 — Voice-Call Config Credentials in Git History

Severity: 5 — CARRIED
Evidence (from 2026-03-21 — git commands blocked in sandbox today): Voice-call configuration file with API credentials committed to workspace git repo, then deleted from working tree. Git history retains credential data in .git/objects/ indefinitely. Accessible via git log and git show.
Status: Not resolved. No git history purge confirmed since 2026-03-21.
Fix: git-filter-repo to remove file from all history. No git remote exists (confirmed prior runs) — local rewrite sufficient.
Rating: 5 — stale credentials in git object store, accessible to any local process reading .git/.

---

RESOLVED: SG-2026-03-24-001 — Lifeboat ZIPs World-Readable

Evidence: ``` ls -la /Users/aicomputer/.openclaw/lifeboat-local/ All 10 ZIPs at -rw------- (600): 2026-03-23-020003.zip 2026-03-23-151813.zip 2026-03-23-224759.zip 2026-03-23-235223.zip 2026-03-24-020003.zip 2026-03-24-104303.zip 2026-03-24-155035.zip 2026-03-24-202200.zip 2026-03-25-003428.zip 2026-03-25-020003.zip <-- today 02AM cron, 600 confirmed ``` chmod 600 fix to lifeboat-upload.sh confirmed effective. Finding closed.

---

Network Exposure

Full listener map — 2026-03-25 ~03:30 AM: ``` adb 14492 127.0.0.1 5037 NEW sev4 SG-2026-03-25-002 ControlCenter 34430 * 7000 ACCEPTED (AirPlay) ControlCenter 34430 * 5000 ACCEPTED (AirPlay) Python http 34701 * 8877 ACCEPTED (SG-2026-03-10-002) Python app 34703 * 8765 ACCEPTED (SG-2026-03-24-002) cloudflared 34714 127.0.0.1 20241 EXPECTED node gateway 34746 127.0.0.1 18789 EXPECTED node gateway 34746 127.0.0.1 18791 EXPECTED node gateway 34746 127.0.0.1 18792 EXPECTED java sig-cli 34816 127.0.0.1 8080 ACCEPTED (SG-2026-03-15-004) Brave 35048 127.0.0.1 18800 ACCEPTED (SG-2026-03-15-006) ollama 85458 127.0.0.1 11434 EXPECTED bridge 85482 127.0.0.1 65310 EXPECTED (Proton bridge) bridge 85482 127.0.0.1 1143 EXPECTED (Proton IMAP) bridge 85482 127.0.0.1 1025 EXPECTED (Proton SMTP) ```

---

Credential Scan Summary

| File | Finding | Perms | Status | |------|---------|-------|--------| | lifeboat-system/rclone/rclone.conf | ya29.[REDACTED] + refresh_token [REDACTED] x2 | 600 | Accepted (SG-2026-03-18-001) | | lifeboat-system/gmail-tokens/credentials.json | GOCSPX-[REDACTED] (OAuth client_secret) | 600 | Accepted (SG-2026-03-18-001) | | lifeboat-system/cloudflared/tunnel.json | TunnelSecret [REDACTED] | 600 | Accepted (SG-2026-03-18-001) | | All *.log files | No credential material | — | Clean | | /tmp .key / .token / *.secret | None found | — | Clean | | JWT tokens in logs | None found | — | Clean |

---

LuLu Firewall

``` ps aux | grep LuLu: PID 34719 RUNNING ``` LuLu running. Severity 8 threshold not triggered. log show sandbox-blocked — connection log not reviewable.

---

Processes

``` Python: PID 34703 (app server), PID 34701 (http.server 8877), PID 54247 (this run) curl: none active ```

---

File Permissions Summary

``` ~/.openclaw/ 700 OK ~/.openclaw/lifeboat-local/ 700 OK — all ZIPs 600 (RESOLVED SG-2026-03-24-001) workspace/CREDENTIALS.md 644 FLAG sev5 (SG-2026-03-24-004, 3rd consecutive) workspace/LIFEBOAT.md 644 FLAG sev5 (SG-2026-03-24-004, 3rd consecutive) workspace/REMOTE-ACCESS.md 644 FLAG sev5 (SG-2026-03-24-004, 3rd consecutive) lifeboat-system/ (all) 600-700 OK (within SG-2026-03-18-001) World-writable files: NONE ```

---

Sandbox Restrictions (Consistent with All Prior Runs)

Blocked: fdesetup (FileVault), tmutil (Time Machine), log show (auth/LuLu logs), git, docker, find -exec, stat auth-profiles.json, all external URLs.

---

External Threat Intelligence

SKIPPED — no network access in sandbox. All five sources unavailable. Prior accepted: SG-2026-03-18-002 (OpenClaw advisory) remains accepted.

---

Security Guard sweep complete 2026-03-25. Read-only. No modifications except this report.