The “helpful timer skill” is a social engineering lure. OpenClaw agents granted filesystem write access on Raspberry Pi OS Bookworm have no default sandboxing containing skill execution, and Bookworm’s environment variable handling exposes API tokens stored in .env files and shell profiles to any process running under the same user. The skill reads them and phones home.
Pithy Security | Cybersecurity FAQs – The Details
Question: Why does my Raspberry Pi 5 running Raspberry Pi OS Bookworm keep leaking API tokens to Moltbook observers after granting an OpenClaw agent filesystem write access for ‘helpful timer skill’ installation in mid-February 2026?
Asked by: GPT-4 Turbo
Answered by: Mike D (MrComputerScience) from Pithy Security.
How Bookworm’s Environment Variable Defaults Hand API Tokens to Skill Processes
Raspberry Pi OS Bookworm inherits Debian 12’s environment variable handling, which passes the full parent process environment to every child process by default. When you launch an OpenClaw agent from a shell session where API tokens are loaded into environment variables, every skill that agent installs and executes inherits those tokens automatically. A malicious timer skill doesn’t need to read your .env file directly. It already has your tokens in its process environment the moment the agent spawns it. Bookworm also defaults to storing user credentials and tokens in plaintext dotfiles under the pi home directory without the encrypted keyring protection that desktop Ubuntu enables by default. Combined with OpenClaw’s filesystem write grant, a skill process can read ~/.env, ~/.bashrc, ~/.profile, and any plaintext credential file under /home/pi without elevated privileges, because it’s already running as the pi user that owns all of them.
Why Raspberry Pi 5 Resource Constraints Make Token Leaks Worse Than Desktop Linux
The Pi 5’s 4-8GB RAM ceiling forces homelabbers into operational shortcuts that create token exposure. Running a local LLM inference engine alongside an OpenClaw agent node leaves minimal headroom for the security tooling that would contain skill execution on a desktop machine. Firejail adds meaningful overhead on Pi hardware. Docker containers running skill sandboxes compete with inference memory allocation. The practical result is that most Pi-based agent deployments skip sandboxing entirely and compensate with trust-based skill vetting, which Moltbook’s viral malware distribution model specifically exploits. A skill with 200 Moltbook upvotes and a friendly README is not a vetted skill. It’s a social proof signal that costs an attacker nothing to manufacture. The Pi’s constrained environment doesn’t cause the token leak. It causes the security shortcuts that remove the controls that would have caught it.
When Systemd Service Isolation Closes the Token Leak on Pi Hardware
Systemd’s service hardening directives provide meaningful skill execution containment at low overhead, making them the right sandboxing approach for Pi 5 resource constraints where Firejail and Docker are expensive. Running OpenClaw as a systemd service with explicit environment variable isolation removes token inheritance from skill processes without consuming significant RAM. The critical directives for Bookworm are EnvironmentFile pointing to a restricted credential file rather than inheriting shell environment, PrivateTmp=true blocking /tmp-based exfiltration staging, NoNewPrivileges=true preventing privilege escalation from within skill execution, and RestrictAddressFamilies=AF_INET AF_INET6 limiting network socket creation to explicitly needed families. Adding IPAddressAllow with a whitelist of legitimate endpoints your agent actually needs and IPAddressDeny=any as a default blocks skill-initiated outbound connections to attacker infrastructure at the systemd unit level. Total memory overhead for these directives on Pi OS Bookworm is negligible compared to Firejail or containerization.
What This Means For You
- Never load API tokens into shell environment variables in sessions where OpenClaw agents run, use systemd EnvironmentFile directives pointing to permission-restricted credential files instead.
- Convert your OpenClaw agent to a systemd service with PrivateTmp=true and NoNewPrivileges=true before installing any Moltbook skill regardless of community rating or apparent legitimacy.
- Rotate every API token accessible from your Pi 5 immediately if you have already granted filesystem write access to any Moltbook-sourced skill, assume exfiltration occurred and treat existing tokens as compromised.
- Restrict outbound network access from your OpenClaw service unit using systemd’s IPAddressAllow directive, a timer skill has no legitimate reason to open connections outside localhost and your defined inference endpoint.