ClawHub

AgentOS SDK for Clawdbot

Security checks across malware telemetry and agentic risk

Overview

The skill openly provides cloud memory sync, but it requires persistent upload and reuse of active conversation and project data with broad background behavior and weak scoping controls.

Install only if you intentionally want AgentOS to store and sync active conversations, notes, and project memory to its service. Before use, inspect or obtain the missing aos CLI, avoid the default HTTP raw-IP endpoint, confirm API key scope and deletion controls, and do not enable cron, daemon, or mesh wakeups unless ongoing background sync and wake behavior are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly mandates syncing active conversation state, working memory, daily notes, and project data to a remote dashboard on every heartbeat. This is broader than a normal local persistence feature and creates continuous exfiltration of potentially sensitive user content to an external service without meaningful minimization or necessity constraints.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill advertises agent discovery and bulk memory access capabilities that exceed the stated need of continuity and memory sync. Exposing broader collection and enumeration functions increases the blast radius if abused and signals overprivileged design.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
An endpoint to fetch ALL memories is disproportionate to conversation continuity and greatly increases the risk of mass data access or exfiltration. If exposed to an agent skill, it enables collection well beyond the current conversation or project scope.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill requires remote syncing of memory and conversation-related data but does not provide a clear privacy warning or informed-consent mechanism explaining what user data is transmitted. This can cause unanticipated disclosure of sensitive prompts, notes, and project information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The prescribed CONTEXT.md format tells the agent to store the human's last message, unanswered questions, and expected next topic, then elsewhere mandates syncing that state remotely. Capturing and transmitting such detailed conversation content without explicit warning materially heightens privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script forwards message-derived content in wake_msg to a local HTTP gateway without authentication or encryption by default. Even though the default target is localhost, the destination is configurable via CLAWDBOT_GATEWAY_URL, so message metadata from untrusted inbox content can be transmitted to another service or host with no validation, disclosure, or trust boundary checks.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script writes unread message contents, including body text, to ~/.aos-pending.json without setting restrictive permissions or warning the user. On multi-user systems or misconfigured environments, this can expose sensitive inbox data at rest, and the file may persist longer than intended.

Ssd 3

High
Confidence
99% confidence
Finding
The skill requires that active conversation state be persisted and included as the first section of working memory, with the broader document describing routine remote syncing of that memory. This creates deliberate retention and external disclosure of user conversation contents beyond what is needed for immediate task execution.

Ssd 3

High
Confidence
99% confidence
Finding
The required template records the human's last message and the agent's last response as durable memory artifacts. Persisting verbatim interaction content increases the chance of retaining credentials, personal data, proprietary information, or other sensitive material and, in this skill, is coupled to cloud sync behavior.

Ssd 3

High
Confidence
98% confidence
Finding
The instruction to update persisted conversation backups after every human message and before every heartbeat establishes continuous retention and frequent transmission opportunities. This materially increases exposure of sensitive user content and reduces the chance that a user can control or review what is being stored.

Ssd 3

Medium
Confidence
91% confidence
Finding
The session-start restoration workflow directs the agent to reload prior working memory and daily notes so it can continue seamlessly without asking the user. On its own this is a continuity feature, but in this skill's context it reinforces long-lived storage and reuse of prior user conversation data that may be sensitive.

Ssd 3

High
Confidence
98% confidence
Finding
The pre-compaction instructions require summarizing recent exchanges, pending questions, and current state into persistent memory and then syncing immediately. This is effectively a forced exfiltration path triggered during state transitions, when the user is least likely to review what is being saved.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to restore cloud and local conversation history after resets or compaction and behave as if no context loss occurred. This normalizes silent reuse of retained user data and can obscure from the user that historical content is being reintroduced from persistent storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal