ClawHub

Config Modification Safety

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible OpenClaw config safety tool, but it installs persistent automation that can overwrite configs and restart services, with incomplete install artifacts and unsafe removal guidance.

Install only if you intentionally want background jobs that monitor OpenClaw configs, automatically restore backups, and restart the gateway. Before installing, require the missing macOS plist and Windows installer/helper scripts to be supplied and reviewed, and replace the crontab -r removal guidance with an uninstall step that removes only this skill’s cron entry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises installation and operational commands that can write files and invoke shell commands, but it does not declare corresponding permissions. This weakens the trust boundary: users and platforms cannot accurately assess that the skill installs background components, edits system task configuration, and operates through command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose understates important behavior: persistent launchd/cron or scheduled-task installation, automatic rollback of user changes, and service restarts materially affect system state. This mismatch prevents informed consent and increases the chance that users authorize a skill that behaves more invasively than expected; additionally, the Windows support claim appears overstated, which can create unsafe assumptions about protection coverage.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as guarding a specific agent config, but the script also backs up and restores the main OpenClaw config.json. This hidden expansion of scope can overwrite unrelated system settings during rollback, causing unintended configuration changes or recovery to a stale state outside the user's expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A file-change guard intended for syntax validation also has authority to restart the Gateway process. That broader capability increases blast radius: any malformed write or repeated trigger can induce service disruption, and a script watching file changes should not automatically control process lifecycle unless clearly separated and constrained.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic rollback of configuration changes is a sensitive behavior because it can silently overwrite recent user or agent edits. Even if intended as safety protection, failing to prominently warn about this can cause data loss, confusion during debugging, and accidental reversal of legitimate configuration updates.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Windows installation instructions say to run the installer as administrator but do not clearly disclose that it creates persistent background watchers and scheduled tasks. Elevated, persistent components materially increase risk because users may grant admin rights without understanding the lasting system modifications being made.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script installs persistent mechanisms in LaunchAgents and the user's crontab without an explicit pre-install warning or consent prompt. Persistent background execution materially changes user environment and trust boundaries, so doing this silently increases the risk of unwanted long-lived code execution and makes removal harder for non-expert users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal