ClawHub

Isolated Workspace

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it overstates workspace isolation while directing persistent repository changes and setup commands in the current working tree.

Install only if you are comfortable treating this as a branch-based workflow, not true workspace isolation. Before using it, ask the agent to confirm the working directory, show any .gitignore diff before committing, and pause before running package-manager setup commands in repositories you do not fully trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to create an isolated workspace but only runs `git checkout -b` in the current working tree, which does not isolate uncommitted files, build artifacts, or environment state from ongoing work. This can mislead the agent into believing it has a clean sandbox when it is still operating in the same repository directory, increasing the chance of contaminating the main workspace or making unsafe changes under false assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The OpenClaw guidance explicitly says to use `git branch` plus an independent working directory, but the procedure never creates or enters such a directory. That mismatch is dangerous because subsequent setup and test commands will execute in the original workspace, where they can alter tracked files, dependency state, or user work while the operator believes isolation protections are in place.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal