ClawHub

Agent Team 构建器

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says by creating OpenClaw agents, but it can persistently edit global OpenClaw configuration and run mutating repair commands without enough built-in safeguards.

Install only if you are comfortable with a skill that can edit your OpenClaw configuration and create persistent agent files. Before using it, review the generated config changes, use safe simple agent IDs, restrict channel allow-lists instead of accepting wildcard access, protect config backups that may contain secrets, and run `openclaw doctor --fix` or gateway restart only when you intend to allow local OpenClaw changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The validator module contains a function that restarts the OpenClaw gateway, which is a disruptive operational action rather than a pure validation step. In this skill’s context, the tool is designed to automatically create and modify agent environments, so bundling restart capability into a validator increases the chance that a routine validation flow triggers service interruption or state changes without clear operator intent.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function is labeled as running validation, but it executes `openclaw doctor --fix`, which performs automatic remediation and can mutate configuration or the local environment. This mismatch is dangerous because callers may invoke it expecting a read-only health check, while it actually changes state and could overwrite or alter user setup unexpectedly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Overly broad trigger phrases can cause the skill to activate unintentionally during normal conversation, increasing the chance of unplanned access to local configuration or file-modifying workflows. In a skill that can read ~/.openclaw/openclaw.json and create/update files, accidental invocation materially raises the risk of unintended side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly reads local configuration and modifies files, yet the documentation does not clearly warn users about the scope and consequences of those operations. In this context, insufficient disclosure is dangerous because users may trigger filesystem and configuration changes without understanding what data will be read, what files will be created, or how system behavior may be altered.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code overwrites the global OpenClaw configuration file and creates a backup automatically with no confirmation, dry-run, or transactional safeguards. In a team-builder skill that modifies agent/channel bindings and secrets, this can unexpectedly alter live runtime behavior, break existing agents, or persist unintended settings if the generated configuration is wrong or manipulated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The subprocess call invokes an auto-fix command without any built-in disclosure, confirmation, or dry-run option in this code path. In a team-builder skill that performs setup automatically, this makes the issue more dangerous because a user asking for planning or validation could unintentionally trigger environment-changing commands with side effects outside the immediate file being edited.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Restarting the gateway is a disruptive system action that can interrupt service, affect active sessions, or mask the root cause of a configuration issue. In this skill context, which is meant to automate agent creation and configuration, hidden restart capability expands the blast radius from file changes to live service availability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal