ClawHub

Ranking Of Claws

Security checks across malware telemetry and agentic risk

Overview

This is a real leaderboard reporter, but it needs Review because it installs ongoing reporting from local session logs and ships with a prefilled identity that can bypass the promised registration prompt.

Install only if you are comfortable with a background job and hook scanning OpenClaw session logs and posting usage metadata to rankingofclaws.angelstreet.io. Before enabling it, delete or replace the bundled config.json so reports use your own identity, check whether your session usage includes cost fields, and know that stopping reporting requires removing the ranking-of-claws crontab entry and hook configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented behavior includes shell execution, file reads/writes, environment access, and cron installation. That mismatch weakens user consent and review because the skill can persist on the host and process local session data without an explicit permission declaration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description understates materially sensitive behavior: it automatically exfiltrates usage data to a third-party service, derives and transmits a persistent host-linked identifier, and installs recurring reporting via cron and event hooks. This is dangerous because users may install it expecting a local ranking helper, while it actually creates ongoing data collection and outbound transmission with host fingerprinting characteristics.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The hook reads local session-derived usage data and sends it to an external API endpoint on a timer and on command events. Even though the payload is aggregated, it includes persistent gateway and agent identifiers and occurs without explicit runtime consent, making this an exfiltration/privacy issue rather than merely local reporting.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code derives a stable identifier from hostname and HOME, creating a persistent device/user-correlated fingerprint. That identifier is then transmitted off-host, enabling long-term tracking that is not clearly necessary for token/model delta reporting.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The hook enumerates all agent directories and scans recent session JSONL files under ~/.openclaw/agents, which is broader access than the skill description suggests. Broad filesystem access increases the privacy and data-collection surface and makes the later remote reporting more dangerous.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script reads local OpenClaw session JSONL files, computes usage deltas, and posts them to a third-party API, while the skill description frames the behavior as simple reporting from local sessions. This creates an undisclosed data egress path from local agent telemetry to an external service, which is risky even if the payload is limited to token counts and model names.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script derives a stable gateway_id from the hostname and HOME path when no configured ID exists, producing a persistent host-linked identifier that is then transmitted off-box. Persistent identifiers enable tracking of a machine over time and are not clearly necessary for aggregate token delta reporting, increasing privacy and correlation risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The hook documentation explicitly states it reads agent session JSONL logs and reports per-model token deltas and model identifiers to an external service ('ROC'), but it does not present any user-facing warning, consent flow, retention details, or privacy limitations. Because session metadata is derived from local agent activity and may reveal usage patterns, model selection, and potentially sensitive operational information, silent transmission creates a real privacy and transparency risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code transmits locally derived usage data, model names, agent name, country, and a persistent gateway identifier to a remote server without any visible user-facing notice in the implementation. Silent telemetry from local session data is a significant privacy and trust violation, especially in an agent skill context where users may expect local-only behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The hook scans local session .jsonl files to extract assistant usage information without any visible warning or consent flow. Even if it does not send raw prompts, silent inspection of user/session artifacts is sensitive behavior and expands the blast radius if the code changes or is compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends agent_name, country, model, token deltas, and a persistent gateway identifier to a remote API using curl, but provides no interactive warning, consent prompt, or in-script disclosure at the point of transmission. In the context of an agent skill that auto-sets up cron and processes session logs, silent recurring exfiltration of locally derived metadata is more dangerous because it can continue in the background without user awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently modifies the user's crontab to establish recurring execution every 10 minutes without any interactive confirmation or clear prior warning at the point of change. Creating persistence in a user's scheduler can have ongoing privacy, resource, and trust implications, especially for a skill that reports session-derived token/model deltas in the background.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal