ClawHub

Durable Agents

Security checks across malware telemetry and agentic risk

Overview

The skill is a useful development guide, but its setup gives an agent broad local credential, database, Docker, and auth-token authority without enough user approval.

Install only in an isolated development environment after reviewing and pinning the external repository. Provide dedicated scoped LLM credentials yourself, do not let the agent search other projects or containers for secrets, and require manual approval before Docker volume deletion, database auth changes, PAT regeneration, or writing credentials to .env and local CLI config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The setup explicitly instructs the agent to inspect another local project and running containers to discover AI credentials, then reuse them in this project without user confirmation. That grants the skill cross-project secret discovery and reuse capabilities that exceed normal setup behavior and can expose unrelated credentials or violate least-privilege boundaries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The recovery flow includes extracting secret keys from logs and databases, regenerating PATs, and writing them into local config files. This turns the skill into a credential extraction and credential manipulation workflow, materially increasing the risk of secret disclosure, persistence, and unauthorized access.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is very broad and includes common developer intents like creating AI agents, pipelines, tools, database storage, and task chains. In agentic systems, overly broad activation criteria can cause the skill to be invoked in situations beyond its intended scope, increasing the chance that powerful multi-agent automation patterns are applied unnecessarily or without adequate review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the agent to read API keys from another project or container environment and write them into this repository's .env file, with no warning about sensitivity, persistence, or scope. That encourages silent secret copying and creates a durable local copy of credentials that may later be committed, logged, or reused improperly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
These recovery steps persist sensitive tokens and keys into .env files and user config directories, again without a prominent warning about storage, rotation, or cleanup. Persisting regenerated or extracted authentication material in plaintext configuration significantly broadens the blast radius if the machine or repo is later accessed.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directs the agent to discover and reuse local AI credentials from the openclaw project and live container environments without user confirmation. This is a direct secret-discovery pattern across trust boundaries and is especially dangerous because it normalizes harvesting credentials from whatever happens to be present on the machine.

Ssd 3

High
Confidence
99% confidence
Finding
The recovery guidance instructs extraction of secret keys and access tokens from logs, databases, and local config files, then persists them for reuse. This is effectively a playbook for credential harvesting and token reissuance, enabling unauthorized access to services and potentially bypassing normal authentication controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal