ClawHub

Static App

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Static.app site-management skill that uses your Static.app API key and can upload, inspect, download, and delete sites, with no evidence of hidden or unrelated behavior.

Install this only if you want OpenClaw to manage your Static.app account. Use the least-privileged Static.app API key available, verify the PID and source directory before running commands, avoid --force unless you explicitly intend to delete a site, and only download archives from sites you trust because extraction can overwrite files in the chosen output path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes use of environment variables for API keys and network access to a third-party service, but no corresponding permissions are declared. This creates a transparency and governance gap: an agent invoking the skill could access secrets and transmit data externally without explicit permission scoping or user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a deployment/hosting tool, but it also supports listing account resources, downloading site archives, extracting them locally, and deleting sites. This broader behavior materially expands the attack surface and can mislead users or policy engines into authorizing actions that include destructive operations and access to unrelated account content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata describes deploy/upload/host behavior, but this file implements irreversible site deletion. That capability mismatch is dangerous because users or orchestrators may invoke the skill expecting safe deployment actions while the package also contains destructive operations that can remove hosted content. In a hosting skill context, hidden or undocumented destructive functionality increases the risk of accidental or unauthorized data loss.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script adds download/import functionality that is outside the stated skill scope of deploying or hosting static sites. Scope expansion matters because it enables pulling remote site contents into the local environment, increasing the attack surface and creating a path for untrusted content ingestion that users and reviewers may not expect.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code downloads a remote ZIP and extracts it directly into a workspace path using adm-zip without validating archive entry paths. This creates a classic archive extraction risk: a malicious or compromised download could use path traversal entries to write outside the intended directory and overwrite arbitrary files in the workspace or host environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes delete functionality and a force flag that skips confirmation, but it does not prominently warn that the action is destructive and may permanently remove hosted content. In an agent setting, this increases the risk of accidental or socially engineered deletion without adequate user understanding.

External Transmission

Medium
Category
Data Exfiltration
Content
- **Body**: Multipart form with `archive` (zip file) and optional `pid`

### List Sites
- **Endpoint**: `GET https://api.static.app/v1/sites`
- **Auth**: Bearer token (API key)
- **Headers**: `Accept: application/json`
Confidence
76% confidence
Finding
https://api.static.app/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Headers**: `Accept: application/json`

### List Site Files
- **Endpoint**: `GET https://api.static.app/v1/sites/files/{pid}`
- **Auth**: Bearer token (API key)
- **Headers**: `Accept: application/json`
Confidence
74% confidence
Finding
https://api.static.app/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Headers**: `Accept: application/json`

### Delete Site
- **Endpoint**: `DELETE https://api.static.app/v1/sites/{pid}`
- **Auth**: Bearer token (API key)
- **Headers**: `Accept: application/json`
Confidence
93% confidence
Finding
https://api.static.app/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Headers**: `Accept: application/json`

### Download Site
- **Endpoint**: `GET https://api.static.app/v1/sites/download/{pid}`
- **Auth**: Bearer token (API key)
- **Headers**: `Accept: application/json`
- **Response**: Returns download URL for the site archive
Confidence
85% confidence
Finding
https://api.static.app/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Options:
  -p, --pid          Site PID to delete
  -k, --api-key      API key (or set STATIC_APP_API_KEY env var)
  -f, --force        Skip confirmation prompt
  -h, --help         Show this help

Examples:
Confidence
88% confidence
Finding
Skip confirmation

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal