ClawHub

Freedcamp Project Management

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Freedcamp integration, but users should protect the stored API credentials and local session cache.

Install this only for Freedcamp workspaces where agent access is intended. Avoid printing or sharing OpenClaw config values, protect or delete ~/.openclaw/skills/freedcamp-session.json when needed, and require explicit approval before creating tasks, changing statuses, adding comments, or marking notifications read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to store the Freedcamp API key and secret in OpenClaw configuration, but it does not clearly warn that these values are long-lived secrets that may persist locally and must be protected. This increases the chance of accidental credential exposure through config inspection, backups, shared workstations, screenshots, or logs, especially because the examples include commands that retrieve the stored configuration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill persists Freedcamp session material, including a session token and associated user/session data, to a predictable file under the user's home directory without setting restrictive file permissions or warning the user. If the host is multi-user, backups are exposed, or another local process can read that file, the token could be reused to access the user's Freedcamp account and metadata until it expires or is revoked.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal