ClawHub

OpenClaw Mastery

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenClaw operations guide, but it gives broad autonomy and recurring access patterns that users should review before installing.

Install only if you want an agent-operations playbook with persistent memory, crons, channels, and possible personal-data monitoring. Before enabling its cron or heartbeat examples, decide exactly which inboxes, calendars, sales tools, and posting surfaces the agent may access, require review for outbound messages or publishing, and avoid using the 'run everything autonomously' template without narrow preauthorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill first establishes a safety rule to ask before external actions, then later promotes 'run EVERYTHING autonomously' and marketing/distribution automation patterns that can trigger outbound actions without operator approval. In an agent-operations skill, this contradiction materially increases the chance that downstream agents will send messages, publish content, or interact with third-party services without meaningful consent or review.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The listed natural-language commands are broad, high-authority triggers such as designing agents, creating cron jobs, and setting up integrations, but they do not define safety boundaries, confirmation requirements, or excluded high-risk actions. In practice, this makes it easier for a user or prompt injection source to invoke powerful workflows that alter persistent configuration or automation behavior with insufficient validation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cron examples instruct the agent to check email inboxes, calendars, weather, and then summarize results, but the skill does not provide an upfront user-facing warning or consent model for access to privacy-sensitive data sources. Because this is an operations skill for persistent agents, normalizing automatic inspection of personal communications and schedule data can lead to continuous monitoring without clear informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The heartbeat template directs continuous inbox triage and notification monitoring as a default proactive behavior, again without a clear warning that the agent may repeatedly surveil personal or business data sources. Persistent heartbeat loops amplify privacy risk because they normalize recurring background access and can silently expand the amount of sensitive data processed and stored.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal