ClawHub

Cny Skill Extracted

Security checks across malware telemetry and agentic risk

Overview

This skill matches its exchange-rate alert purpose, but it can automatically use messaging credentials and create recurring OpenClaw jobs, so users should review it before installing.

Install only if you want this skill to read your OpenClaw messaging configuration, use configured channel credentials, send exchange-rate messages to selected destinations, and create a recurring OpenClaw cron job. Before enabling auto-setup or scheduled notifications, review the selected channel targets, webhook URLs, OPENCLAW_GATEWAY_URL, gateway token handling, and the cron entry it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'gateway_url' from os.environ.get (line 1048, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
gateway_url = gateway_url or "http://127.0.0.1:18790"
        try:
            resp = requests.post(
                f"{gateway_url.rstrip('/')}/v1/messages/send",
                json={'channel': channel_type, 'to': target, 'text': message},
                headers={'Authorization': f'Bearer {gateway_token}'},
Confidence
92% confidence
Finding
resp = requests.post( f"{gateway_url.rstrip('/')}/v1/messages/send", json={'channel': channel_type, 'to': target, 'text': message}, headers=

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module is presented as a simple exchange-rate calculator, but it also modifies OpenClaw configuration and cron job state. This functionality mismatch is security-relevant because operators may grant trust or execute the skill expecting read-only behavior while it persists configuration changes and schedules future execution. In agent ecosystems, hidden persistence and config modification are especially sensitive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically write scheduler configuration into ~/.openclaw/cron/jobs.json after setup, creating persistent behavior on the host. This is security-relevant because it modifies local execution settings and establishes future automated execution without an explicit consent/confirmation step at the moment of persistence.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The auto-setup path writes configuration and registers a recurring cron job immediately, without interactive confirmation. That creates persistence and outbound messaging behavior from a single command invocation, which is risky in an agent skill because it can silently alter future system behavior. The issue is not remote exploitation by itself, but unsafe default side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal