ClawHub

Openclaw Security

Security checks across malware telemetry and agentic risk

Overview

This is a coherent security-tool orchestrator, but it can bulk-install, update, execute, and run automated remediation tools across a workspace without enough scoping or confirmation safeguards.

Install only if you trust this publisher and the 11 companion tools it installs. Review the companion tools before running setup, scan, update, or protect; use an explicit workspace path; avoid unpinned latest-version updates in important workspaces; back up the workspace first; and do not run protect unless you are prepared for automated changes such as quarantine, blocking, revocation, rotation, containment, or remediation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [python, str(script)] + args + ws_args

    try:
        result = subprocess.run(
            cmd,
            capture_output=capture,
            text=True,
Confidence
92% confidence
Finding
result = subprocess.run( cmd, capture_output=capture, text=True, timeout=60, cwd=str(workspace), )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and invokes Python scripts that can access environment data and execute shell-like operations, but it does not declare corresponding permissions. This creates a transparency and consent problem: users and higher-level policy systems may underestimate the skill's authority, especially since it installs, updates, and scans a workspace security stack.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to clone the repository, copy it into a live skills directory, install 11 external tools, and run initialization commands, but it does not clearly warn that these actions will modify the local environment and pull in additional code from external sources. In a security-focused skill, this broad installer behavior is especially sensitive because users may over-trust the package due to its branding and run it with elevated confidence, increasing supply-chain and workspace modification risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The install workflow says it installs 11 security tools from ClawHub but does not warn the user that it fetches and installs code from an external source. Even for security tools, remote code retrieval changes the trust boundary and can expose the workspace to supply-chain compromise or unexpected code execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The first-time setup command initializes integrity baselines, signing state, audit ledgers, and compliance policy, but the skill does not warn that it modifies persistent security state inside the workspace. Hidden initialization can affect future enforcement, trust decisions, and incident response, making recovery harder if the setup was unintended or misconfigured.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Pro protection sweep is described as automated countermeasures across tools whose Pro modes include blocking, quarantine, rollback, revoke, reject, rotate, enforce, contain, and remediate actions. Without an explicit warning, users may trigger destructive or disruptive enforcement against files, credentials, permissions, or network behavior in their workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The install/update/protect flows perform bulk external operations that change the workspace and execute subordinate tools without an explicit warning or confirmation. In a security suite context this is more dangerous because users may assume these actions are purely diagnostic, while they can install code, update code, and apply automated countermeasures across the workspace.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The workspace is resolved from OPENCLAW_WORKSPACE, current directory heuristics, and a default path, but the script does not clearly disclose which path was chosen before taking action. This can cause the suite to operate on an unintended repository or attacker-influenced path, which matters here because later commands execute workspace-resident scripts and perform installations or protective changes there.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal