ClawHub

Openclaw Ledger

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed local audit-ledger tool with no evidence of hidden networking, exfiltration, or deceptive behavior.

Install only if you want a local audit trail for a workspace. Treat exported ledger output as sensitive, avoid running it over unrelated private folders, and review restore/protect behavior before using it in evidence-preservation workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of Python scripts that read the workspace, write a tamper-evident ledger, and invoke shell commands, but it declares no permissions for those capabilities. This creates a transparency and consent gap: users or hosting agents may treat the skill as less privileged than it really is, increasing the risk of unintended file access, file modification, and command execution across the workspace.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The protect flow can overwrite the active ledger automatically by copying a prior frozen backup into place without explicit user confirmation. In a security/audit context, silent rollback can destroy the current state of evidence, surprise operators, and be abused by anyone who can trigger the command to revert the ledger to an older version and obscure recent events.

Ssd 3

High
Confidence
92% confidence
Finding
The export command emits the full audit chain, including workspace path, file snapshots, change history, and user-provided messages, directly to stdout in plain JSON or text. In an agent skill context, stdout is often captured, logged, or forwarded to other systems, so this creates a high risk of unintentionally disclosing sensitive filesystem structure, activity history, and potentially confidential filenames or operator notes.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal