ClawHub

Botlearn Doctor@1.0.2

Security checks across malware telemetry and agentic risk

Overview

This health-check skill is mostly aligned with diagnostics, but it overreaches by collecting sensitive local context and encouraging forced package installs and remote report delivery.

Review before installing. Use this only if you are comfortable with deep local OpenClaw inspection, including config, logs, system details, and workspace identity files entering the agent context. Avoid accepting `--force` package-install recommendations without independently checking the packages, and disable or avoid remote report channels unless you explicitly want diagnostic data sent to those destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A health-check skill defining a fix workflow crosses from reporting into system modification. Even with a confirmation step, bundling diagnosis and remediation in one skill increases the risk that users approve changes they do not fully understand, and it broadens the damage potential if the skill is mis-triggered or manipulated.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill scores the environment negatively when botlearn skills are missing and recommends installing them as part of a health evaluation, despite that not being necessary for core diagnostics. This creates a coercive upsell/supply-chain pattern where the skill pressures users to install additional packages unrelated to the stated health objective.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The text explicitly says all `@botlearn/*` skills are trusted and should be installed with `--force`, bypassing normal risk prompts. Instructions that preempt trust decisions and suppress safeguards are a major red flag because they encourage unsafe supply-chain installation without independent verification.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This guidance goes beyond passive health assessment and instructs the agent to install additional packages, including use of `--force`, which suppresses safety prompts. In a health-check skill, coupling diagnosis with prescriptive forced package installation increases the chance of unauthorized or unsafe system changes and supply-chain exposure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill redefines system health to reward expansion of the botlearn ecosystem and 'self-evolution' capability, which is outside the stated inspection scope. This creates biased recommendations that steer users toward installing a specific vendor ecosystem, potentially driving unnecessary changes and increasing attack surface under the guise of diagnostics.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs reading full contents of workspace identity files such as agent.md, soul.md, user.md, identity.md, and tool.md and storing them in context, even though a health-check only needs high-level structural indicators. This creates unnecessary exposure of potentially sensitive personal, behavioral, or capability data to the skill runtime and any downstream model processing.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The protocol's privacy guidance says analysis should use only structural signals, but the collection step stores full raw content in DATA.workspace_identity. That contradiction means the sensitive data is already exposed before any later summarization controls apply, defeating the stated privacy safeguard.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script supports delivery of health reports to multiple external services, including Slack, DingTalk, Feishu, Discord, and email. Even if intended as a convenience feature, this creates an exfiltration path for potentially sensitive system-health data, and the skill context makes this more dangerous because diagnostic reports commonly contain configuration, security, and environment details.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Broad support for arbitrary webhooks and SMTP extends far beyond a minimal health-check/reporting function and can be abused to send sensitive findings off-host. The risk is amplified here because a health-check skill inspects security/configuration state, so the transmitted content may help an attacker map weaknesses or leak internal metadata.

Vague Triggers

High
Confidence
91% confidence
Finding
Broad triggers such as 'doctor', 'diagnose', 'troubleshoot', and 'what's wrong' can invoke a highly invasive skill unintentionally. Because this skill performs extensive local inspection and shell-based collection, accidental activation can expose sensitive files, logs, and configuration data beyond user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using an ambiguous 'general query' as a full-check trigger means unrelated conversations may launch a comprehensive system scan. In context, that materially increases the risk of accidental reconnaissance and privacy-invasive data collection.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill explicitly instructs use of `openclaw doctor --deep --non-interactive`, which can inspect workspace and system state, but it provides no user-facing consent, scope notice, or data-sensitivity warning. In a health-check skill this command is contextually relevant, but it still increases privacy and transparency risk because users may not realize the depth of local inspection being performed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly recommend `--force` because it skips interactive risk prompts for 'trusted' packages, normalizing bypass of a security control without independent verification. This is dangerous because it reduces user awareness and consent at the exact point where package-installation risk should be assessed, magnifying supply-chain and misconfiguration risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill collects full workspace identity files that may contain personal user information or sensitive agent configuration without a clear user-facing warning or consent step. In the context of a diagnostic skill, that is more dangerous because users are likely to expect operational checks, not deep collection of identity narratives and workspace documents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script inventories OS details, package manager versions, OpenClaw/Clawhub versions, CPU, memory, disk, and uptime, then emits them as structured JSON without any built-in notice, consent gate, or scope limitation. In a health-check skill, this data collection is functionally relevant, but it still exposes sensitive host fingerprinting information that can aid targeting, environment profiling, and unintended disclosure if the output is logged, exfiltrated, or shown to an untrusted party.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script captures the full output of `openclaw status --all --deep` and later emits parsed fields including OS, config path, dashboard, gateway URL/bind, service status, agent bootstrap/store paths, and selected log lines. In a health-check skill, this collection is expected functionally, but exposing these details without an explicit consent boundary, minimization, or redaction can leak sensitive environment information to downstream consumers, logs, or LLM context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script emits raw user-defined path values for environment variables in JSON output via `value_redacted`, only replacing the home prefix with `~`. This can disclose sensitive filesystem structure, usernames, mounted volumes, project names, or custom locations to downstream consumers of the healthcheck report, which is unnecessary for most diagnostic use and increases information exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits report content to external endpoints without any interactive warning or clear user-facing disclosure at the point of use. Because health reports may include issue summaries, identifiers, statuses, and possibly rendered HTML/Markdown content, silent transmission increases privacy and security exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
]
        });
        const safe = redactSecrets(payload);
        execSync("curl -sS -X POST -H \"Content-Type: application/json\" -d " + JSON.stringify(safe) + " " + JSON.stringify(webhook), { timeout: 10000 });
        results.push({ channel: "slack", status: "delivered" });
        break;
      }
Confidence
91% confidence
Finding
curl -sS -X POST -H \"Content-Type: application/json\" -d

External Transmission

Medium
Category
Data Exfiltration
Content
}
        });
        const safe = redactSecrets(payload);
        execSync("curl -sS -X POST -H \"Content-Type: application/json\" -d " + JSON.stringify(safe) + " " + JSON.stringify(webhook), { timeout: 10000 });
        results.push({ channel: "dingtalk", status: "delivered" });
        break;
      }
Confidence
90% confidence
Finding
curl -sS -X POST -H \"Content-Type: application/json\" -d " + JSON.stringify(safe) + " " + JSON.stringify(webhook), { timeout: 10000 }); results.push({ channel: "dingtalk", status: "delivered"

External Transmission

Medium
Category
Data Exfiltration
Content
}]
        });
        const safe = redactSecrets(payload);
        execSync("curl -sS -X POST -H \"Content-Type: application/json\" -d " + JSON.stringify(safe) + " " + JSON.stringify(webhook), { timeout: 10000 });
        results.push({ channel: "discord", status: "delivered" });
        break;
      }
Confidence
90% confidence
Finding
curl -sS -X POST -H \"Content-Type: application/json\" -d

Credential Access

High
Category
Privilege Escalation
Content
try {
    const tracked = execSync("git ls-files " + HOME + " 2>/dev/null", { encoding: "utf8", timeout: 3000 });
    const secretFiles = tracked.split("\n").filter(f =>
      f.endsWith(".key") || f.endsWith(".pem") || f.endsWith(".env") ||
      f.includes("credentials") || f.includes("secret")
    );
    for (const sf of secretFiles) {
Confidence
85% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal