ClawHub

OpenClaw Skills Weekly

Security checks across malware telemetry and agentic risk

Overview

This reporting skill mostly matches its stated purpose, but its default workflow can make broad network calls and copy or replace a local metrics database from a Docker container without clear upfront approval.

Review before installing. Use it only where Python package installation, external API calls, and local database/report writes are acceptable. Prefer --skip-x unless you need X/Twitter capture, use --no-bridge unless you explicitly want Docker-to-host database copying, and provide least-privilege API keys only when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (8)

Tainted flow: 'cmd' from os.getenv (line 56, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
]
    print(f"[X-CAPTURE] Running: {query} ({date_from} to {date_to})")
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=90, encoding="utf-8", errors="replace")
        if result.returncode != 0:
            print(f"  [WARN] x-search returned code {result.returncode}")
            if result.stderr:
Confidence
89% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=90, encoding="utf-8", errors="replace")

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares itself user-invocable and instructs the agent to use shell, network, environment variables, and local file/database writes, yet it does not declare any permissions. This creates a transparency and consent failure: users and policy layers may not realize the skill can install dependencies, call external APIs, access secrets, and persist data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose emphasizes trending-skill tracking and script generation, but the behavior expands into X/Twitter capture, local SQLite accumulation, extra JSON outputs, and even docker-based database copying according to the analysis finding. Hidden or under-described behavior is dangerous because it broadens the data sources, persistence, and host interactions beyond what a user would reasonably expect from the description.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad triggers like 'generate report', 'video script', or 'openclaw skills' can cause accidental invocation in unrelated conversations. Because this skill can install packages, perform network calls, and write local files, unintended activation increases the chance of side effects without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs dependency installation and creates a local SQLite database and output files, but it does not prominently warn users about these side effects. Lack of up-front disclosure undermines informed consent and can lead to unexpected package installation, disk writes, and long-lived local data retention.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad natural-language phrases such as "skills weekly", "trending skills", and "weekly report", which are common enough to match unrelated user requests and cause accidental invocation. Because this skill performs network access, local database writes, and can drive recurring reporting workflows, unintended activation can lead to unnecessary external requests, noisy automation, and confusing or undesired side effects.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code sends harvested skill content, including documentation text, to Anthropic without any in-file disclosure, consent gate, or content-classification check. In this skill's context, the harvested content is third-party and potentially sensitive, so external transmission creates a real data exposure and compliance/privacy risk even if no obvious secrets handling is shown here.

Ssd 4

Medium
Confidence
93% confidence
Finding
Untrusted skill documentation is interpolated directly into the prompt, so a malicious skill author can embed prompt-injection text that steers tone, content, or policy compliance of the generated script. The surrounding system prompt helps, but because this product summarizes adversarial third-party content, the context makes prompt steering more likely and more dangerous than in a trusted-input workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal