ClawHub

OpenClaw Soul Weaver

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-related, but it needs review because it can send profile details to a remote service and its permissions, file-saving claims, and system-configuration impact are inconsistent.

Install only if you are comfortable sending names, profession, use case, communication style, and avatar prompts to the remote service. Treat generated MEMORY.md, TOOLS.md, and AGENTS.md as drafts, review them before applying, remove unnecessary high-privilege tools, back up existing OpenClaw configuration files, and do not rely on the claimed local avatar path unless you verify the file exists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp1

High
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill reads process.env.API_BASE_URL, which uses environment capability not declared in the manifest. Undeclared capability use weakens permission transparency and can let deployment-time configuration silently redirect all user data to an unexpected endpoint. In a network-enabled skill that sends user prompts externally, this increases trust and data-flow risk.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The changelog advertises generation of six local configuration files and ZIP export, which expands the operational scope beyond a purely conversational config assistant. That mismatch matters because users and reviewers may underestimate that the skill can create persistent artifacts on disk, increasing the chance of unintended writes, packaging of sensitive content, or deceptive capability disclosure.

Scope Creep

High
Confidence
97% confidence
Finding
The changelog lists file-read and file-write permissions even though the provided skill metadata declares only network access. Undeclared effective filesystem capabilities are a serious trust and review problem because they can enable local data access or modification without accurate consent, especially in a skill that also exports generated packages.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README claims the skill can 'replace system files' and also references broader file permissions than the manifest declares, creating a dangerous mismatch between documented behavior and actual declared capabilities. Even if the code only returns generated files, this kind of documentation can socially engineer users into manually overwriting sensitive configuration or system files, leading to configuration compromise or privilege misuse.

Scope Creep

High
Confidence
96% confidence
Finding
The README declares file-read and file-write permissions that are not present in the manifest, which is a significant trust and security discrepancy. Permission mismatches prevent users and reviewers from understanding the true attack surface and may conceal intended future behavior involving local file access or unsafe installation guidance.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Documenting avatar generation and local file saving in a skill meant for configuration generation indicates undocumented scope expansion. Even if only documented, this signals the skill may handle remote binary content and persistent local artifacts without users expecting those actions.

Scope Creep

High
Confidence
97% confidence
Finding
The skill declares only network permission, yet the documentation says it downloads and saves avatar images to the local file system. That is a permissions mismatch that can bypass reviewer expectations and mislead users about the skill’s ability to write persistent files.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill performs external image generation and image download even though its stated purpose is generating OpenClaw configurations. This expands data sharing and network behavior beyond user expectations, sending AI names and style prompts to another endpoint and fetching attacker-controlled imageUrl content returned by the service. The extra capability increases privacy and supply-chain risk without clear necessity.

Scope Creep

High
Confidence
95% confidence
Finding
The handler returns local filesystem-style paths and claims local avatar handling despite the manifest declaring only network permission. This creates a misleading security boundary: users or orchestrators may believe the skill can write local files or that files now exist when no such permission was granted. Permission/behavior mismatch is dangerous because it can mask unauthorized capability expansion or induce downstream components to trust nonexistent local artifacts.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill reports that the avatar was saved locally and sets avatarSaved: true, but the code only logs a path and never writes a file. This is a security-relevant integrity issue because downstream automation may act on false assumptions about local artifacts, potentially skipping checks or referencing nonexistent files. Misrepresentation of state is especially risky in agent ecosystems where tools chain outputs automatically.

Scope Creep

Medium
Confidence
97% confidence
Finding
The top-level skill metadata declares only network permission, but the embedded clawhub manifest additionally requests file-write. This permission mismatch can mislead reviewers and users about the skill's true capabilities, and file-write materially increases risk because a network-enabled skill could persist downloaded content or modify local files.

Vague Triggers

Medium
Confidence
84% confidence
Finding
'Multiple pattern-based auto-triggers' is overly broad and does not specify activation phrases, scope, or safety constraints. In practice, ambiguous auto-triggering can cause the skill to run unexpectedly, initiate network requests, or generate files in contexts the user did not clearly intend, which is riskier given the skill's documented side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The changelog describes file generation, external API integration, image generation, and ZIP export but gives no user-facing warning about data handling, privacy implications, or system effects. Because the skill has network capability and may package generated content, users may unknowingly send sensitive prompt data to third-party services or create local artifacts without informed consent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The automatic trigger phrases are broad enough to activate during ordinary conversation, increasing the chance of unintended execution. In a skill with network access and documentation referencing file operations, accidental triggering could cause unreviewed data transmission or unexpected generation actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes network calls and file operations but does not warn users about privacy implications, external data transfer, or possible system/configuration impact. In this context, the skill generates personalized configurations and may transmit user-provided identity and preference data to a remote service, so the absence of disclosure meaningfully increases risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
An overly broad auto-invocation trigger can cause the skill to activate on ordinary conversation, leading to unintended remote API calls, data transmission, or configuration generation. In this skill’s context, that risk is elevated because the skill has network permission and may act on ambiguous requests without explicit confirmation.

Missing User Warnings

High
Confidence
94% confidence
Finding
Telling users the skill can replace system files and save files locally without a prominent warning about system/data impact creates a serious safety issue. Users may not realize the skill can overwrite important configuration files or persist artifacts on disk, increasing the risk of data loss, broken setups, or unwanted persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented API request sends user profile data such as name, profession, use case, and communication style to a third-party endpoint without a clear privacy notice or consent flow. This can expose personal or sensitive preference data externally in ways users may not expect from a local configuration helper.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger regexes are broad enough to match many ordinary requests about creating AI agents or configs, not just explicit use of this skill. Because the skill has network, file-read, and file-write permissions and can generate packaged output, unintended activation could cause remote data submission or local file operations in contexts the user did not clearly request.

Vague Triggers

Low
Confidence
78% confidence
Finding
The description uses expansive marketing language like 'No waiting' and 'through natural conversation' without defining boundaries for appropriate activation. In a skill that can write files and call external APIs, vague invocation framing increases the chance that dispatch logic treats general conversational requests as permission to run the skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal