ClawHub

Content Creator Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AI writing helper with no evidence of hidden file access, credential use, persistence, or destructive behavior, though it may not run as packaged because of missing import targets.

Review what LLM provider your OpenClaw runtime uses before submitting unpublished, personal, or business-sensitive drafts. Also verify the package runs, because the main file references agent modules that are not included in the published artifact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Tree of Thoughts workflow sends the full user task to `this.llm.generate(...)` for both idea generation and scoring without any visible disclosure, consent gate, or data-minimization control. In a content-creation assistant, tasks may contain unpublished drafts, internal documentation, or sensitive business information, so silent transmission to an external model can create confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Reflection workflow extracts content from the task and then sends both the content and subsequent feedback to the LLM during iterative refinement, potentially multiple times. Because this skill is specifically designed to process articles, blogs, and documentation, it is likely to handle proprietary drafts or personal data, making undisclosed repeated transmission to an external service a meaningful privacy and data-governance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal