ClawHub

SkillMetricScraper

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a public analytics/reporting pipeline, but it needs review because it can use local authenticated tooling, Docker access, external helper execution, broad triggers, and persistent data collection beyond a simple weekly report.

Install only if you are comfortable with a reporting skill that fetches public ClawHub/social/GitHub data, writes local analytics files, and may use Anthropic, GitHub, XAI, Docker, and an external x-search helper. Review or disable the Docker bridge, gh CLI project tracker, X_SEARCH_SCRIPT override, broad triggers, and any cron/hourly setup before running it in an environment with sensitive credentials or Docker access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

Tainted flow: 'cmd' from os.getenv (line 56, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
]
    print(f"[X-CAPTURE] Running: {query} ({date_from} to {date_to})")
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=90, encoding="utf-8", errors="replace")
        if result.returncode != 0:
            print(f"  [WARN] x-search returned code {result.returncode}")
            if result.stderr:
Confidence
91% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=90, encoding="utf-8", errors="replace")

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions while instructing execution that uses environment secrets, filesystem reads/writes, network access, and shell commands. This undermines least-privilege review and can mislead users or policy engines into authorizing a broader capability set than the manifest transparently communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose focuses on trending-skill tracking and script generation, but the documented behavior expands into social-signal harvesting, GitHub telemetry, possible Docker database copying, and additional structured output pipelines. This mismatch reduces informed consent and can hide materially broader data collection and execution behavior from users deciding whether to invoke the skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest description omits broader multi-source community monitoring and GitHub repository tracking that materially affect the skill's data collection scope. In security review, incomplete disclosure is dangerous because it prevents accurate risk assessment and may cause users to expose credentials or permit network activity they did not expect.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file performs persistent hourly data collection and GitHub ecosystem tracking, which goes beyond the stated skill purpose of weekly trending analysis and script generation. This scope expansion is risky because users may grant trust based on the manifest description while the code continuously collects and stores broader data, creating a transparency and least-privilege violation even if the activity is not overtly malicious.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file's behavior materially differs from the stated skill purpose: instead of weekly trending-skill and video-script generation, it performs authenticated tracking of GitHub repository metadata for core OpenClaw repos. This kind of scope mismatch is dangerous because it can hide undisclosed data collection or credential use inside a skill users would not expect to access GitHub account-backed resources.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code uses gh-authenticated GitHub API access, despite the skill being described as a weekly ranking/video-script skill rather than a GitHub telemetry collector. In a skill ecosystem, undisclosed authenticated API usage is security-relevant because it expands trust boundaries, may consume privileged credentials, and can facilitate covert reconnaissance of repositories or organization activity.

Context-Inappropriate Capability

Medium
Confidence
68% confidence
Finding
The script reaches into a named container and copies an internal SQLite database onto the host. In an agent-skill context, Docker interaction expands the trust boundary and can expose or overwrite locally accessible data if the skill runs with Docker permissions, which is broader capability than a normal weekly reporting workflow needs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like 'generate report', 'video script', or 'openclaw skills' increase the chance of accidental activation in unrelated conversations. In an agent context, overbroad activation can cause unintended network calls, shell execution, database writes, and external API usage without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing guidance uses common-language phrases to select operational modes, making it easy for normal user requests to be interpreted as authorization to run the pipeline. Because some modes perform network fetching, local writes, and API-backed content generation, ambiguous activation boundaries increase the risk of unintended side effects and secret consumption.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes broad natural-language phrases like "skills weekly," "trending skills," "weekly report," and "status"-adjacent reporting terms that can plausibly appear in ordinary user conversation. Because the skill is user-invocable and performs network/API access plus local data writes, accidental invocation could cause unintended external requests, data collection, and modification of the local SQLite/JSON state.

Ssd 4

Medium
Confidence
95% confidence
Finding
Untrusted skill documentation is inserted directly into the user prompt, so a malicious skill author can embed prompt-injection text that competes with the intended formatting and content-generation instructions. While this file does not expose tools or secrets to the model, injected content can still manipulate the generated script, produce policy-violating output, or poison downstream published content.

Ssd 4

Medium
Confidence
96% confidence
Finding
The LLM request consumes raw harvested documentation in the prompt context, creating a direct semantic injection path from external content to model behavior. Because the generated text is later rendered into markdown/video scripts, an attacker can influence published output at scale, including misleading claims, hidden instructions, or reputationally damaging content.

Ssd 1

Medium
Confidence
95% confidence
Finding
Untrusted search-result text is embedded verbatim into an LLM prompt that is expected to return structured JSON. Retrieved tweets or summaries can contain prompt-injection content that causes the model to ignore instructions, emit malformed output, misclassify signals, or include attacker-chosen content in saved data.

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.27.0
python-dotenv>=1.0.0
anthropic>=0.49.0
beautifulsoup4>=4.12.0
Confidence
97% confidence
Finding
httpx>=0.27.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.27.0
python-dotenv>=1.0.0
anthropic>=0.49.0
beautifulsoup4>=4.12.0
Confidence
97% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.27.0
python-dotenv>=1.0.0
anthropic>=0.49.0
beautifulsoup4>=4.12.0
Confidence
97% confidence
Finding
anthropic>=0.49.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
httpx>=0.27.0
python-dotenv>=1.0.0
anthropic>=0.49.0
beautifulsoup4>=4.12.0
Confidence
97% confidence
Finding
beautifulsoup4>=4.12.0

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
78% confidence
Finding
python-dotenv

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low
Category
Supply Chain
Confidence
76% confidence
Finding
anthropic

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal