ClawHub

openclaw security auditor

Security checks across malware telemetry and agentic risk

Overview

This security-auditor skill is mostly on-topic, but it can run unbundled local code and includes a fixer that can weaken OpenClaw security settings.

Install only if you are comfortable reviewing the code paths before use. Do not run the fixer blindly, use dry-run first, avoid aggressive mode except in isolated test environments, mask tokens before sharing reports, and verify the external OSA dependency that the scanner imports from outside the skill package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents code paths that read the user's OpenClaw configuration and write a report file, but the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an operator may trust the skill as minimally scoped while it performs filesystem actions that should be explicitly disclosed and governed.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as an auditor, but the documented scripts include automated configuration fixing and interactive application of security changes. That mismatch can mislead users into authorizing a tool they believe is read-only, when it may perform state-changing operations that alter security posture or availability.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The safety section claims the skill only reads configuration files and never makes automatic changes without approval, yet earlier sections advertise automated fixing and scripts to apply security fixes. Contradictory assurances are dangerous because they undermine informed consent and can cause users or orchestrators to rely on false safety guarantees.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function labeled as an 'aggressive security profile' disables authentication, exposes the gateway to the LAN, expands tool access to 'full', disables filesystem workspace restrictions, and broadens session scope to 'any'. Presenting these settings as a security profile is dangerous because a user seeking hardening could unintentionally deploy a substantially less secure configuration that increases attack surface and risk of unauthorized access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Aggressive mode makes multiple security-impacting changes automatically, but the interface provides only a generic mode name and help text saying 'Security mode to apply' without specific warnings that it will disable auth and widen exposure. In the context of a security auditor/fixer, that omission is especially risky because users are primed to trust the tool to improve security, making accidental insecure deployment more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal