ClawHub

Agent Swarm

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it quietly saves excerpts of delegated task text to a local audit log despite documentation saying it does not write or persist data.

Install only if you are comfortable with tasks being routed to OpenRouter-backed sub-agents and with local audit logging of prompt excerpts. Avoid pasting secrets or sensitive business/personal data unless you first disable, remove, or regularly clear the agent-swarm delegation log under your OpenClaw home directory, and manually review any suggested execution config patch before applying it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'log_file' from os.environ.get (line 158, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"model": model_id,
            "reasoning": (recommendation or {}).get("reasoning", ""),
        }
        with open(log_file, "a", encoding="utf-8") as f:
            f.write(json.dumps(entry, ensure_ascii=False) + "\n")
    except OSError:
        pass
Confidence
91% confidence
Finding
with open(log_file, "a", encoding="utf-8") as f:

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The router persists task content to disk automatically in its audit log, but there is no clear user-facing consent, warning, or minimization at the logging point. Since task text may include secrets, internal prompts, code, or personal data, this creates avoidable sensitive-data retention and increases exposure if logs are later accessed by other users, tools, backups, or incident responders.

Ssd 3

Medium
Confidence
97% confidence
Finding
The audit entry stores the raw task string (up to 500 characters) in plain text, which can capture user-supplied credentials, proprietary data, or regulated information. In an agent-routing context, users commonly paste sensitive operational requests, so plaintext persistence materially raises confidentiality risk even if the feature was intended for debugging or auditability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal