ClawHub

Openclaw Egress

Security checks across malware telemetry and agentic risk

Overview

This is a defensive local egress scanner, but it includes under-disclosed commands that can rewrite code files and disable installed skills.

Install only if you want a local security tool that can inspect workspace files and you are prepared to supervise its modifying commands. Prefer scan, status, and domains first; avoid protect, block, and quarantine unless you have backups and accept that they can change code or disable skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and relies on running local Python commands that scan arbitrary workspace content, yet the manifest does not declare any permissions despite implying file access, shell execution, and detection of network-related code patterns. This mismatch is dangerous because it obscures the true capability surface from users and policy engines, reducing informed consent and making it easier for a harmful or modified implementation to access files or invoke commands without explicit permission review.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This is a true security concern because the skill performs destructive workspace actions beyond passive detection: it renames whole skill directories and comments out source lines automatically. In an agent environment, that gives the tool broad integrity impact over unrelated code and can disable or alter legitimate skills based on heuristic findings, creating denial-of-service and tampering risk if misused or triggered incorrectly.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The file modification logic is broader than necessary for an egress scanner: it rewrites arbitrary code files in the workspace and creates backups, which can change program behavior and persist unintended edits. In a multi-skill workspace this creates a powerful tampering primitive that could be abused to corrupt code, suppress functionality, or interfere with operations under the guise of security enforcement.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Automatic source rewriting and backup creation without strong, immediate warnings increases the chance of accidental destructive changes. In an agent workflow, users may invoke a protection command expecting analysis only, while the tool silently alters code, which can break builds, mask evidence, or create hard-to-review state changes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal