ClawHub

Openclaw Triage

Security checks across malware telemetry and agentic risk

Overview

This appears to be a defensive incident-response skill, but it needs Review because it can modify or remove workspace items and run helper scripts from the workspace under investigation.

Install only if you intentionally want an active incident-response tool with authority to inspect and change a workspace. Prefer running investigation, timeline, scope, and evidence commands first; back up the workspace before contain, remediate, or protect; and verify any workspace-local helper tools before allowing remediation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tainted flow: 'ws' from os.environ.get (line 78, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
for d in ("openclaw-signet", "openclaw-signet")]:
        if cand.is_file():
            try:
                r = subprocess.run([sys.executable, str(cand), "sign", "--workspace", str(ws)],
                                   capture_output=True, text=True, timeout=30)
                if r.returncode == 0: actions.append("Re-signed skills"); print("      Done.")
                else: print(f"      Code {r.returncode}")
Confidence
83% confidence
Finding
r = subprocess.run([sys.executable, str(cand), "sign", "--workspace", str(ws)], capture_output=True, text=True, timeout=30)

Tainted flow: 'ws' from os.environ.get (line 78, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
for d in ("openclaw-ledger", "openclaw-ledger")]:
        if cand.is_file():
            try:
                r = subprocess.run([sys.executable, str(cand), "record", "--action", "remediation",
                                    "--detail", f"Triage Pro remediation {now_iso()}", "--workspace", str(ws)],
                                   capture_output=True, text=True, timeout=30)
                if r.returncode == 0: actions.append("Recorded in ledger"); print("      Done.")
Confidence
83% confidence
Finding
r = subprocess.run([sys.executable, str(cand), "record", "--action", "remediation", "--detail", f"Triage Pro remediation {now_iso()}", "--workspace"

Tainted flow: 'ws' from os.environ.get (line 78, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
for d in ("openclaw-warden", "openclaw-warden")]:
        if cand.is_file():
            try:
                r = subprocess.run([sys.executable, str(cand), "scan", "--workspace", str(ws)],
                                   capture_output=True, text=True, timeout=60)
                if r.returncode == 0: actions.append("Rebuilt baselines"); print("      Done.")
                else: print(f"      Code {r.returncode}")
Confidence
83% confidence
Finding
r = subprocess.run([sys.executable, str(cand), "scan", "--workspace", str(ws)], capture_output=True, text=True, timeout=60)

Tainted flow: 'ap' from os.environ.get (line 584, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
ap = ws / rel
            for sf in [sd / rel.replace("/", "_"), sd / rel]:
                if sf.is_file() and sha256_file(ap) != info.get("sha256", "") if ap.is_file() else True:
                    try: shutil.copy2(sf, ap); rc += 1; actions.append(f"Restored: {rel}"); print(f"      Restored: {rel}")
                    except OSError as e: print(f"      Failed: {e}")
                    break
    bp = ws / BACKUPS_DIR
Confidence
72% confidence
Finding
try: shutil.copy2(sf, ap); rc += 1; actions.append(f"Restored: {rel}"); print(f" Restored: {rel}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises shell execution, environment access, and file read/write behavior through its documented commands, but it does not declare any permissions or constraints in the manifest. This creates a trust and review gap: a user or host system may treat the skill as low-privilege while it can inspect and copy sensitive workspace data, including forensic/security artifacts, and write evidence output to disk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The playbook text describes 'protect' as if it were containment, but the command also performs evidence collection and report generation and may take broader automated actions. Mislabeling high-impact automation in a security tool can cause operators to trigger side effects they did not intend during incident handling.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The remediation command expands from triage into code execution by launching other local Python tools from the workspace. In the context of incident response, that is dangerous because the workspace is the very object under suspicion and may contain attacker-modified helper scripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Containment quarantines skill directories by copying and then deleting them without interactive confirmation. In a triage tool operating on possibly legitimate workspaces, automatic destructive changes can disrupt service, erase state, or hinder safe forensic review if triggered by false positives.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script renames hook configuration files to disable them based on a simple keyword heuristic, again without confirmation. That can break automation or security controls unexpectedly, and in a response context a false positive could interfere with normal or even protective workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Remediation restores files, writes backups, rebuilds baselines, and executes helper tools without explicit confirmation. These actions alter system state substantially, and on a compromised workspace they can both destroy evidence and trigger attacker-controlled code paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The 'protect' sweep automatically performs containment and evidence-writing actions based on its own findings, with no user confirmation. Because its heuristics are broad and the tool operates on potentially sensitive workspaces, unintended automatic writes, quarantines, and reporting can cause operational damage and alter forensic state.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal