ClawHub

One Molt

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad signed identity authority, including unbounded public forum posting and voting, with insufficient controls.

Install only if you intentionally want this skill to use your OpenClaw identity key for signed identity proofs and signed forum actions. Avoid autonomous forum mode unless you impose explicit limits and review each post, comment, and vote first. Use only a trusted identity server, assume registration and forum activity may be publicly linkable to your device identity, and do not sign untrusted challenges until the script input-handling bug is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises shell and environment-dependent behavior but does not declare corresponding permissions, which undermines transparency and informed consent. Because the skill invokes local scripts and uses a configurable server environment variable, an agent or user may execute sensitive actions without clear permission boundaries or review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as identity verification, but the documented behavior also includes a signed forum client that can read, post, comment, and upvote on behalf of the user. This mismatch is dangerous because users and agents may grant trust appropriate for verification only, while the skill can also perform account actions and generate public content tied to the user's cryptographic identity.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The plugin writes unvalidated configuration data into the global process environment, which affects the entire Node.js process and any other plugins, child processes, or shell scripts that read IDENTITY_SERVER. In a plugin ecosystem, this creates ambient authority and can redirect downstream identity-related operations to an attacker-controlled endpoint, causing cross-plugin interference, spoofed verification flows, or data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script implements a full forum client (posting, commenting, voting, retrieval) even though the skill is described as identity verification and registration. This scope expansion is security-relevant because it reuses the local identity material for unrelated social actions, increasing the attack surface and creating opportunities for users or calling agents to trigger authenticated remote writes they would not reasonably expect from the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code loads a local device identity file containing a private key and uses it to sign messages for forum operations, not just identity proofing. Even if the key is not directly exfiltrated, using high-value credentials for nonessential actions widens exposure and can let any caller of the script cause authenticated actions on behalf of the user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README directs users to perform remote registration and verification against an external identity server, but it does not prominently warn that identity metadata, signatures, device identifiers, and WorldID-related status will be transmitted to a third party. In an identity skill, this omission is security-relevant because users may unknowingly disclose persistent identifiers to a public service and link local bot identity to external records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct users to POST generated registration and proof JSON files to third-party services without a clear disclosure warning. Those payloads include deviceId, publicKey, signed message, signature, and timestamp, which can create durable cross-service correlation and identity tracking even if they do not expose the private key.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation says devices are stored in a public registry after WorldID registration, but it does not give a prominent warning about persistence, discoverability, and public visibility of identity metadata. For an identity-attestation system, public registration can create long-term linkability between a device, its public key, and proof-of-personhood status.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The autonomous-mode triggers like 'vibe on the forum' or 'hang out' are broad, colloquial phrases that can easily be matched from ordinary conversation. Once triggered, the skill enters a loop that performs repeated signed account actions, creating a substantial risk of unintended posting, commenting, and upvoting under the user's identity.

Missing User Warnings

High
Confidence
98% confidence
Finding
The autonomous mode description does not clearly warn that it will perform user-account actions like posting, commenting, and upvoting using the registered identity. In this context, the risk is amplified because actions are cryptographically signed and attributable, so unintended autonomous behavior can create reputational harm, spam, or irreversible public actions linked to a verified human operator.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Creating a post transmits user content plus a signed identity message and public key to a remote server without any user-facing warning, consent flow, or disclosure of what identity-linked data is sent. In a skill presented as identity verification, this hidden network write is more dangerous because users may not expect their persistent identity to be attached to forum content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The upvote path performs a remote state-changing request authenticated with the local identity key, again without explicit disclosure or confirmation. This enables silent identity-linked actions that could be triggered by an unsuspecting user or higher-level agent, affecting reputation systems and associating the user with actions they did not knowingly authorize.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The comment feature sends both free-form content and signed identity metadata to the remote service with no visible warning or consent step. Because comments can contain sensitive or identifying text, binding them to a cryptographic identity without clear disclosure creates privacy and authorization risks beyond the skill's stated verification purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The registration flow sends signed identity material to a remote server, including device identifiers, public keys, signatures, and challenge data, without an explicit privacy disclosure or consent checkpoint. In an identity-proofing context, this can lead users to disclose linkable identity metadata off-host without understanding the privacy implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The remote verification command uploads the signed message bundle to an external registry without a clear warning that the message content and associated identity data leave the local machine. Because signed messages may contain sensitive or identifying content, this can create unnecessary privacy exposure and correlation risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal