ClawHub

Openclaw Podcast

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it advertises, but it has review-worthy privacy and credential-storage concerns around external transmission and persistent API-key handling.

Install only if you are comfortable sending sanitized workspace summaries and some derived project/profile context to Superlore. Review dry-run output, but note it does not show every outbound field. Avoid saving the API key to shell profiles unless you accept plaintext persistence, and inspect scheduled cron jobs before enabling recurring briefings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The Privacy section makes strong security and privacy guarantees—such as never sending workspace files and stripping all secrets, emails, IPs, database URLs, and file paths—without any verifiable implementation evidence in this file. If those guarantees are incomplete or inaccurate, users may disclose sensitive workspace content to a third-party API under false assumptions of sanitization and privacy.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script reads custom style definitions from ~/.openclaw/podcast-styles outside the active workspace, expanding the trust boundary beyond the project the user expects. Because those files can contain arbitrary instructions and data source hints that influence generated content, a local or previously planted global file can silently affect behavior and increase unintended disclosure risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The cover-image prompt generator reads ~/.openclaw/workspace/IDENTITY.md, USER.md, and SOUL.md to extract profile and project context unrelated to the core briefing flow. That data is then sent to the external API as coverImagePrompt, creating an additional exfiltration path for personal or strategic information that users would not expect from the main briefing preview.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comments assert that sensitive data never leaves the machine and that raw files are never transmitted, but the script still transmits large sanitized excerpts derived directly from MEMORY.md and daily memory files to a third-party API. This is dangerous because sanitization is regex-based and incomplete, so users may be misled into overtrusting privacy guarantees and send proprietary or personal data externally.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The dry-run states it shows exactly what would be sent, but it omits the separately generated coverImagePrompt that may include data read from additional identity files. This mismatch undermines informed consent by hiding part of the outbound payload, though the hidden field is smaller and less directly sensitive than the main briefing body.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script appends the API key into ~/.zshrc or ~/.bashrc, creating persistent credential storage outside the immediate setup task. This increases exposure to local compromise, accidental disclosure, shell history/config syncing, and violates least-privilege for a setup wizard whose core function is scheduling podcast generation.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Persisting credentials by modifying shell initialization files is an overbroad and risky capability for this skill. It stores the API key in plaintext in commonly sourced files, potentially exposing it to other local users, backups, dotfile sync tools, support uploads, or later accidental disclosure through environment dumps.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs the skill to send user email addresses for OTP authentication and to place detailed briefing data into the `topic` field for an external third-party API, but it does not provide a clear privacy warning, consent requirement, or data-minimization guidance. In the context of an OpenClaw skill that connects to agent memory and files, this increases the risk that sensitive workspace data, personal information, or confidential business context will be exfiltrated to Superlore without the user fully understanding what leaves the local environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The wizard offers to save the API key without clearly warning that it will be written persistently in plaintext to a shell startup file. Users may reasonably interpret this as a harmless convenience and not understand the credential exposure implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The preview flow invokes generate-episode.js after stating it is 'Reading workspace context' and 'Sending to Superlore API', but it does not clearly warn that potentially sensitive workspace data may be transmitted to a third-party service. In an agent/workspace skill, that context can include strategy, files, memory, or other confidential content, making silent transmission materially risky.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal