ClawHub

boardroom-advisor

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent business-advisory prompt pack with disclosed optional OpenRouter use and bounded report-file output, but users should invoke it intentionally and protect business secrets/API keys.

Install only if you want an agent to run structured business-decision reviews. Use it deliberately rather than letting it trigger on every casual 'should I' question, run it in a dedicated folder, avoid sharing confidential business details with OpenRouter unless acceptable, and store OPENROUTER_API_KEY only in local uncommitted environment/config files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to run proactively whenever it 'identif[ies] the user is facing a major decision,' even without a direct request. This expands invocation beyond clear user intent and can cause unsolicited strategic analysis, unnecessary file creation, and possible network use, which is risky for a skill with filesystem and optional external API capabilities.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include broad conversational patterns such as 'should I do X?' and similar generic decision language, which can match many normal exchanges that are not intended to invoke this specific skill. In context, that ambiguity is more dangerous because the skill may then gather extensive business context, generate persuasive outputs, write artifacts to disk, and potentially call OpenRouter.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation tells users to place a live OpenRouter API key in environment/config examples without any guidance on secret handling, rotation, or avoiding committing credentials to disk or source control. In a skill with network capability and filesystem output, this increases the chance that operators store sensitive credentials insecurely and later expose them through config files, logs, backups, or repository commits.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup section explicitly directs users to add `OPENROUTER_API_KEY` to `.env` and merge it into OpenClaw configuration, but omits warnings about accidental disclosure via committed dotfiles, shared home-directory configs, or plaintext storage. Because this skill may call an external API, credential compromise could enable unauthorized API usage, billing abuse, and misuse of the configured account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal