ClawHub

Skill Doctor

Security checks across malware telemetry and agentic risk

Overview

Skill Doctor is a disclosed maintenance tool for scanning, editing dependency manifests, and optionally running skill tests; its risky modes are user-invoked rather than hidden.

Install this as a developer utility, not as a passive scanner for untrusted code. Use the default sandboxed test mode, avoid --no-sandbox unless the target skill and tester are trusted, and review requirements.txt changes before installing dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["OPENCLAW_DOCTOR_NO_SANDBOX"] = "1"
    cmd = [sys.executable, str(tester), "--skill", skill_slug, "--json"]
    try:
        r = subprocess.run(
            cmd,
            cwd=str(skills_root),
            env=env,
Confidence
89% confidence
Finding
r = subprocess.run( cmd, cwd=str(skills_root), env=env, capture_output=True, text=True, timeout=timeout, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and facilitates sensitive capabilities including reading and writing files, invoking subprocesses/shell-based tooling, using environment variables, and potentially enabling networked execution via no-sandbox testing, but it declares no explicit permissions. That mismatch is a real security issue because users and policy engines cannot accurately assess or constrain the skill's access, and the documented `--no-sandbox` mode increases the chance of unintended broad execution against untrusted skills.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises `--no-sandbox` execution as a normal test mode without warning that it runs the target skill with full host environment access. Because skills are potentially untrusted and may contain arbitrary code, this can expose local files, credentials, network access, or other sensitive resources when users follow the documented command.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description grants broad authority to scan folders, modify dependency manifests, and test skills 'in or out of sandbox' without clear scope limitations or safety boundaries. In an agent ecosystem, this ambiguity can enable overly permissive invocation, causing unintended file changes, dependency tampering, or execution of untrusted skill code outside isolation.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The tool can directly rewrite requirements.txt files when --fix is used, but it provides no prominent user-facing warning that it will modify repository contents. This is not a stealth backdoor, but it is a real integrity/safety issue because dependency files affect future installs and can introduce or remove packages in ways the user may not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill supports a --no-sandbox mode that runs tests with full environment exposure, but there is no strong warning or secondary confirmation. In this context, testing a skill may execute arbitrary skill code, so disabling sandboxing materially increases the risk of credential exposure, filesystem access, and command execution on the host.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal