ClawHub

Consulting

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This consulting skill is mostly coherent and locally scoped, but it stores client engagement details persistently and references several helper files that are not included.

This appears safe to install for local consulting workflow support. Be aware that client names and engagement problems can be saved under the OpenClaw workspace memory directory, so avoid entering unnecessary confidential details and delete old records when no longer needed. Also, several documented workflows reference files that are not included, so verify any additional scripts before using them.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI06: Memory and Context Poisoning
Low
What this means

Client engagement details may remain on the local machine and could be available to later consulting tasks or anyone with access to the workspace files.

Why it was flagged

The script persistently stores client names and presenting problems in a local memory directory. This is disclosed and purpose-aligned, but the data may be confidential consulting information.

Skill content
CONSULTING_DIR = os.path.expanduser("~/.openclaw/workspace/memory/consulting") ... "client": args.client, "presenting_problem": args.presenting
Recommendation

Only store client information you are comfortable keeping locally, periodically review/delete old records, and avoid entering highly sensitive client data unless necessary.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Some documented workflows may fail or rely on files that are not present for review.

Why it was flagged

SKILL.md documents multiple helper scripts and reference files, but the provided manifest includes only SKILL.md and scripts/scope_engagement.py. This is an incomplete package/provenance gap rather than evidence of malicious behavior.

Skill content
`write_proposal.py` | Write client proposal ... `structure_pricing.py` ... `navigate_situation.py` ... `log_engagement.py`
Recommendation

Before relying on workflows beyond engagement scoping, verify that any referenced scripts or reference documents are actually present and inspect them if added later.