ClawHub

Openclaw Action

Security checks across malware telemetry and agentic risk

Overview

This security-scanning action has a coherent purpose, but it downloads and runs mutable external Python code in CI while its documentation gives misleading local/no-network assurances.

Review before installing. Use this only if you trust the AtlasPA scanner repositories and are comfortable running their current main-branch code in your CI environment. Prefer a version that vendors the scanners or pins immutable commits with checksum verification, and run the workflow with least-privilege GitHub token permissions and limited secrets exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'bastion_path' from os.environ.get (line 158, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if bastion_path.exists():
            # bastion uses subparser: --workspace before scan
            try:
                result = subprocess.run(
                    [sys.executable, str(bastion_path), "--workspace", str(workspace), "scan", "--json"],
                    capture_output=True,
                    text=True,
Confidence
75% confidence
Finding
result = subprocess.run( [sys.executable, str(bastion_path), "--workspace", str(workspace), "scan", "--json"], capture_output=True,

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes mutually inconsistent trust claims: it says there are no network calls, while also stating the action downloads fresh scanner scripts each run. For a security-scanning GitHub Action, that contradiction materially obscures runtime code-fetching behavior and can mislead users into granting trust to an action that executes remotely retrieved code in CI.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README claims 'No dependencies' and that all logic is plain-text local Python, but then says scanner scripts are fetched from external repositories each run. In security tooling, this is dangerous because it hides a supply-chain boundary: the effective code executed is not fully contained in the action, and may change outside the pinned action version.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The action downloads Python scanner scripts at runtime from external GitHub repositories using floating 'main' branch URLs, then invokes local scanning logic that depends on those retrieved files. This creates a supply-chain execution path where upstream repo compromise, branch mutation, or response tampering can change code executed in CI without any version pinning or integrity verification.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Fetching executable scripts from the network during a security scan is especially dangerous because the action is likely to run in privileged CI contexts with repository contents and possibly secrets available. A malicious or compromised upstream script could exfiltrate source code, tokens, or tamper with scan results while appearing to perform a legitimate security function.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README fails to clearly warn users that scanner scripts are downloaded from external repositories at runtime. In the context of a GitHub Action intended for security scanning, this omission increases risk because users may assume a static, auditable action while actually introducing dynamic remote code execution into their CI environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manifest omits a clear warning that the action downloads executable code from remote repositories at runtime, which weakens informed consent and can mislead users into trusting the action as self-contained. In the context of a security scanner, that lack of transparency is more dangerous because users may run it on sensitive pull requests or repos expecting defensive behavior only.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal