ClawHub

TrustMyAgent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real security scanner, but it needs Review because its privacy, local-only, telemetry, and social-reputation behavior are broader than users may expect.

Install only if you are comfortable with a broad security scanner inspecting sensitive local signals and potentially publishing detailed posture results to an external Trust Center. Run --dry-run first, review the exact JSON payload, use --local-only with caution because some checks and Moltbook enrichment may still perform network activity, use --no-notify to avoid the npx fallback, and enable the cron schedule only if you want recurring scans.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    # Method 1: openclaw in PATH
    try:
        proc = subprocess.run(
            ["openclaw", "notify", "--message", message],
            capture_output=True, text=True, timeout=15
        )
Confidence
87% confidence
Finding
proc = subprocess.run( ["openclaw", "notify", "--message", message], capture_output=True, text=True, timeout=15 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Method 3: Try npx
    try:
        proc = subprocess.run(
            ["npx", "--yes", "openclaw", "notify", "--message", message],
            capture_output=True, text=True, timeout=30
        )
Confidence
94% confidence
Finding
proc = subprocess.run( ["npx", "--yes", "openclaw", "notify", "--message", message], capture_output=True, text=True, timeout=30 )

Tainted flow: 'req' from os.environ.get (line 2192, credential/environment) β†’ urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Accept": "application/json",
    })
    ssl_context = get_ssl_context()
    with urllib.request.urlopen(req, timeout=15, context=ssl_context) as resp:
        return json.loads(resp.read().decode("utf-8"))
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=15, context=ssl_context) as resp:

Tainted flow: 'req' from os.environ.get (line 2192, credential/environment) β†’ urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
# Get SSL context with proper certificate handling
        ssl_context = get_ssl_context()

        with urllib.request.urlopen(req, timeout=30, context=ssl_context) as response:
            result = json.loads(response.read().decode('utf-8'))
            if result.get("success"):
                return True, "Telemetry sent successfully"
Confidence
99% confidence
Finding
with urllib.request.urlopen(req, timeout=30, context=ssl_context) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises broad capabilities including shell, file reads, environment access, and network use, but does not declare corresponding permissions in the manifest. This creates a transparency and consent problem: users and hosting platforms may underestimate what the skill can access or transmit, especially because telemetry is enabled by default and the skill inspects host state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as a stateless posture monitor, but the documented behavior extends into external telemetry, transcript inspection, skill/file scanning, notifications, and third-party reputation queries. This mismatch is dangerous because operators may approve installation based on an incomplete threat model, while the skill performs broader surveillance and network activity than expected.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README and metadata create an expectation of constrained or privacy-preserving operation, but the documented default behavior is periodic telemetry upload to a centralized public Trust Center. This mismatch can cause users to deploy the skill under false assumptions, leading to unintended disclosure of host, agent, or assessment data.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The claim that the tool is 'stateless' and 'leaves no traces on the host' is inconsistent with instructions to install a recurring cron job. Misrepresenting persistence lowers operator awareness and can lead to unauthorized long-term execution on systems where users believed nothing persistent would be installed.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The knowledge base includes checks about social reputation, owner trustworthiness, and external platform judgments that go beyond the declared scope of host security posture monitoring. This creates undocumented surveillance and trust-scoring behavior that can affect users or agents based on unrelated social criteria, expanding data collection and decision-making beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file explicitly defines a detection that judges an agent owner's social reputation and verifiable platform presence, which is unrelated to technical host security posture. This introduces unjustified profiling and trust decisions that may be used to gate behavior or label users without a clear security necessity.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The check catalog extends beyond technical security-posture monitoring into surveillance of social-media content and human reputation scoring, which is not clearly aligned with the stated skill purpose. That scope expansion can enable unnecessary collection and judgment of personal data, increasing privacy, policy, and misuse risk without a strong security justification.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Scoring the human owner's trustworthiness based on X/Twitter follower counts is not a reliable security control and introduces arbitrary profiling into a security product. If used for enforcement or decision-making, it can cause unjustified blocking, privacy harm, and biased outcomes while providing little real protection against compromise.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
These checks enumerate sensitive user areas such as ~/.ssh, home-directory .env files, and shell history to score an agent's posture. Even if intended for security assessment, this is broader than necessary for agent-local posture monitoring and exposes personal secrets metadata and credential artifacts unrelated to the agent itself.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file scans git history and installed skills content, which crosses from environment posture checking into source-content auditing. That expands the skill's access to potentially sensitive code and historical commits, creating unnecessary exposure and privacy risk relative to the stated trust-scoring purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
On Linux, the 'No hidden communication channels' check does not inspect messaging-service connections as described; it counts essentially all established TCP connections. This gives the skill a broad network-surveillance capability over user/system activity, which is materially more invasive than its documented purpose.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The check description promises detection of messaging-service API use, but the Linux command counts all active TCP connections instead. This mismatch is dangerous because users may consent to a narrow behavioral check while actually granting broad visibility into network activity.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims security posture monitoring but also performs Moltbook identity enrichment, post review, and owner-reputation collection. That scope expansion causes additional sensitive data access and network activity that a user would not reasonably expect from the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Assessing a human owner's trustworthiness from X/Twitter follower counts is unrelated to host security posture and introduces unnecessary profiling. This can lead to unjustified gating decisions and needless collection/transmission of identity-linked social data.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Scanning Moltbook posts for 'moral or integrity violations' is content moderation, not system security assessment. It requires retrieving and analyzing recent posts, which broadens surveillance and data handling beyond the advertised purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes periodic upload of telemetry to a centralized public dashboard without a prominent privacy or data-transmission warning. Because the tool performs security posture checks that may touch sensitive system state, users may unknowingly expose operational metadata or other sensitive findings to external infrastructure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup flow instructs the agent to create a cron job every 15 minutes without a clear warning that this enables ongoing autonomous execution. In an agent-skill context, silently establishing recurring execution increases risk because it persists behavior beyond the initial user action and may continue networked telemetry collection indefinitely.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The policy text imposes a social-reputation standard on owners, treating low social presence or low follower count as higher risk. That is a non-technical trust judgment without clear opt-in or justification, and it can drive unfair or opaque security decisions unrelated to actual compromise indicators.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
A policy that assigns risk solely from follower-count thresholds is easily gamed, not security-grounded, and can encode unfair or misleading judgments about users. In a security-monitoring skill, this creates a false sense of assurance and may drive inappropriate trust decisions based on irrelevant social metrics.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The telemetry routine sends extensive agent metadata, environment context, findings, and detections over the network. Although the docstring mentions telemetry generally, the transmission point lacks strong consent and the payload is much richer than many users would expect from a local scanner.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently searches environment variables and several credential-file paths for Moltbook API keys. Implicit credential harvesting from standard locations increases surprise and risk, especially in a tool marketed primarily as a security monitor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal