ClawHub

Everything Openclaw (EO)

Security checks across malware telemetry and agentic risk

Overview

This is a broad agent-collaboration plugin whose artifacts include under-scoped persistence, public posting/payment/deploy authority, and review tools that can give false confidence.

Review carefully before installing. Use only in a constrained workspace, do not provide social publishing tokens, payment credentials, wallet access, or production deploy credentials unless you have explicit approval and account-level safeguards, and do not rely on its canned review/verification outputs as real security or release gates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (84)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document asserts that AI only generates logic and 'never touches the data directly,' but the included workflow later executes model-generated transformations against dataframe values. That mismatch is dangerous because it can cause operators to trust a system as non-mutating when it in fact performs automated data modification, increasing the chance of unsafe deployment and insufficient review of remediation code paths.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code uses eval on AI-generated text and labels it safe based on simple string checks for prefixes and forbidden terms. This is insufficient because Python lambdas can still access dangerous functionality through obfuscation, attribute traversal, builtins, comprehensions, or other constructs that bypass naive substring filtering, enabling arbitrary code execution or unauthorized data access inside the remediation environment.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The approval event handler assigns `data.approval_code` to `instanceId` and then passes it to approval-processing functions as though it were an approval instance identifier. Mixing a workflow definition/code with a specific instance ID can cause the wrong approval record to be queried or updated, break authorization assumptions, and trigger downstream business actions for the wrong object.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs autonomous self-scheduling and cron adjustment, which can create persistent behavior beyond the immediate user task. In context, this is dangerous because it gives the skill ongoing execution authority without an explicit consent boundary, increasing the risk of unattended actions, repeated external API use, and surprise account activity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill is designed to publish directly to TikTok and Instagram and pull account analytics via third-party APIs. This is high risk because it enables external side effects on public accounts and access to potentially sensitive performance data without any built-in approval gate, preview step, or scoped limitation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill uses Playwright to scrape arbitrary websites and internal pages for content, testimonials, pricing, and competitor information. In context, this expands the skill from content assistance into unrestricted external browsing and data collection, which raises privacy, terms-of-service, and prompt-injection risks from untrusted web content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill expects environment-based credentials for third-party publishing and analytics services, enabling it to act on external accounts if those secrets are present. This becomes dangerous when combined with autonomous workflows, because possession of ambient credentials effectively grants the skill authority to publish and retrieve analytics without fresh user intent verification.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill’s own compliance section forbids absolute lowest-price claims, yet the organic traffic playbook later instructs hosts to say 'the absolute lowest price of the entire stream.' This creates contradictory guidance that could lead users to make potentially non-compliant advertising claims, increasing platform enforcement and consumer-protection risk in a live commerce context.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file warns that cosmetics must not promise results, but the communication example tells hosts to say a product reduced forehead bumps by half after two weeks. That is a concrete efficacy claim likely to be interpreted as a testimonial-based performance promise, which can violate platform rules or advertising regulations and encourage deceptive selling practices.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill declares Bash access even though its stated purpose is paid social strategy, which does not inherently require shell execution. Unnecessary command execution capability expands the attack surface: if the agent is prompted to handle files, credentials, exports, or automation tasks, Bash could be abused to run arbitrary local commands, access sensitive data, or modify the environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill grants Write, Edit, and Bash capabilities even though its stated role is strategic PPC planning. That creates unnecessary authority for file modification and shell execution, increasing the blast radius if the agent is steered by malicious prompts, compromised data, or operator error.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is scoped as a paid search query analyst, but it is granted Write, Edit, and Bash in addition to read/web capabilities. Those broader permissions are not justified by the stated analytical role and expand the blast radius if the skill is misused, prompt-injected, or makes an error, enabling arbitrary file changes or shell actions unrelated to query analysis.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file states strict quality gates where every task must pass QA before advancement, but later instructs the orchestrator to mark a task as blocked and continue the pipeline after repeated failures. That contradiction can cause known-bad or unvalidated work to propagate into later phases, weakening assurance and creating opportunities for defective or insecure code to ship under the appearance of a controlled process.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to execute local shell commands and a Playwright capture script against the host environment, which crosses from passive QA guidance into operational command execution. In an adversarial or unreviewed skill ecosystem, this can cause unintended code execution, access local files, and create artifacts without explicit user consent or sandboxing.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The repository inspection commands (`ls`, recursive `grep`, `cat` of generated results) are broader than strictly necessary for screenshot-focused QA and can expose unrelated project contents. While not overtly malicious, they normalize unnecessary workspace enumeration, which increases data exposure risk if the repository contains secrets, proprietary code, or unrelated files.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The plugin advertises a large multi-expert collaboration and command system, but the implementation is only a small set of static template responders. This is dangerous because users may rely on claimed security review, planning, or collaboration capabilities that do not actually exist, leading to false assurance and unsafe downstream decisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The verification and code review tools claim to assess the provided checkpoint or path, but they always return fixed findings regardless of input. In a security-sensitive workflow, this can create false negatives or false passes, causing developers or agents to believe code or milestones were reviewed when no real analysis occurred.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This code rewrites the global OpenClaw configuration file on disk and can change routing behavior for agents across sessions. Because it performs privileged configuration mutation automatically and without validation, a caller can cause unintended reconfiguration, disrupting isolation boundaries or redirecting traffic between workspaces.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment says removal is scoped to the session, but the implementation removes bindings by peer ID or agent ID, and sessionId is not represented in the binding at all. This can delete unrelated routes for the same agent or peer, causing cross-session interference, denial of service, or accidental traffic hijacking between tenants.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The orchestrator advertises and exposes critical-task semantics, but the implementation never treats any task as critical because hasCriticalFailure() relies on isTaskCritical(), which always returns false. This creates a dangerous mismatch between documented behavior and runtime behavior: callers may assume failures will abort subsequent work, but the system will continue spawning and running additional subagents, potentially causing unauthorized, unsafe, or wasteful actions after a safety-critical failure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file implements proactive local persistence and retrieval of session content, which materially differs from the declared collaboration-focused skill purpose. This capability mismatch is security-relevant because operators and users may not expect data retention or disk writes, reducing informed consent and increasing the chance that sensitive data is stored without scrutiny.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code distills session messages into persistent memory files even though that capability is not justified by the skill's stated purpose. In context, this makes the feature more dangerous because it creates covert retention of potentially sensitive user, project, and reference data under the guise of an unrelated collaboration skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly promotes autonomous writes to memory/ without warning that the skill may modify user or project files. Silent state persistence can leak sensitive project context, create hard-to-audit side effects, and interfere with repositories or downstream tooling if users are not told where and how data is stored.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Presenting automated deployment with rollback support as a normal command, without an explicit warning about system-impacting actions, can mislead users into invoking operations that affect live environments. In the context of a plugin with network/env capability indications and deployment semantics, this increases risk of unintended production changes, credential use, or service disruption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example normalizes execution of AI-generated code without a clear warning that this is code execution of untrusted model output. In this skill's context, the model is fed anomalous rows that may contain attacker-controlled content, so prompt injection or crafted samples could influence the generated lambda and lead to harmful execution against sensitive data processing systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal