ClawHub

Openclaw Warden

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local defensive workspace scanner, but it also includes under-disclosed actions that can overwrite agent files or disable skills without confirmation.

Install only if you want a security tool that can do more than report findings. Use verify, scan, full, and status for report-only checks; avoid protect, restore, rollback, and quarantine unless you have reviewed the target files and have backups, because those commands can replace legitimate edits or disable an installed skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.exit(1)

    # Checkout from HEAD
    result = subprocess.run(
        ["git", "checkout", "HEAD", "--", rel],
        cwd=str(workspace),
        capture_output=True, text=True,
Confidence
86% confidence
Finding
result = subprocess.run( ["git", "checkout", "HEAD", "--", rel], cwd=str(workspace), capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
git_dir = workspace / ".git"
            if git_dir.exists():
                import subprocess
                result = subprocess.run(
                    ["git", "checkout", "HEAD", "--", rel],
                    cwd=str(workspace),
                    capture_output=True, text=True,
Confidence
94% confidence
Finding
result = subprocess.run( ["git", "checkout", "HEAD", "--", rel], cwd=str(workspace), capture_output=True, text=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable capabilities such as environment access, file read/write, and shell commands, but does not declare corresponding permissions in its metadata. This creates a transparency and policy-enforcement gap: users or tooling may underestimate the skill's power, making it easier for a harmful or overly broad action to be invoked without appropriate review.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Here the expanded capability is coupled to unattended execution: the protection routine can spawn git to modify repository state automatically. That combination is dangerous because a scanning tool is expected to report, but this path can instead alter files based on pattern matches and integrity deltas, magnifying harm from misclassification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`cmd_restore` overwrites the destination file from a snapshot immediately, with no confirmation, preview, backup of current contents, or access control beyond being able to invoke the script. In an agent workspace, that can destroy legitimate edits or be abused by another component to revert safety-relevant files silently.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The rollback command irreversibly replaces the file with its last committed version without confirming with the user or preserving uncommitted contents. Because the path comes from the caller and the operation mutates the workspace, accidental or induced execution can remove valid work and reset security-sensitive files.

Missing User Warnings

High
Confidence
97% confidence
Finding
This automatic protection sweep restores modified critical files solely based on detection outcomes, without human review and even when the file is merely modified critical, not necessarily malicious. In this skill context, the tool is meant to protect agent instructions and skill files, so silent overwrite of those very assets is especially dangerous because it can erase legitimate updates or enable denial-of-service via crafted false positives.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically renames skill directories to quarantine them based on critical injection findings, again without prior approval. In an agent skill ecosystem, disabling skills can materially change behavior and availability, so a false positive can cause operational denial-of-service or disrupt security tooling itself.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal