ClawHub

Omniclaw Cli Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed OmniClaw payment CLI guide with sensitive financial and service-execution powers that are scoped to explicit user or owner-directed use.

Install only if you trust the omniclaw-cli binary and the OmniClaw Financial Policy Engine URL. Use least-privilege tokens with spending limits, avoid setting OMNICLAW_OWNER_TOKEN unless the current task truly requires owner approval authority, and only allow serve/--exec after explicitly approving the exact command, endpoint, price, port, and runtime isolation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
Documenting `configure` inside a skill that explicitly says it is not for owner setup or Financial Policy Engine administration creates a dangerous capability mismatch. An agent following this reference could be induced to set server URLs, tokens, or reveal secrets via related options, expanding privilege and enabling unauthorized reconfiguration.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
Including owner-only confirmation approval and denial workflows in a general agent skill exposes highly privileged control paths that contradict the declared execution boundary. If an agent is allowed to act on this documentation, it may attempt to approve or deny pending confirmations, bypassing intended human ownership controls.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation states that `serve` binds to `0.0.0.0` and that `--exec` runs a host command, meaning the feature can expose arbitrary command execution behind a payment gate on all network interfaces. The surrounding note about owner approval and isolation is advisory only and does not mitigate the inherent risk that an agent could publish a remotely reachable paid RCE surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Documenting `configure --show-raw` without a prominent warning normalizes a command that can print raw secrets such as tokens or sensitive configuration values. In an agent setting, those secrets may be logged, surfaced to users, stored in traces, or exfiltrated through downstream tooling.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal