ClawHub

Agent Self Repair

Security checks across malware telemetry and agentic risk

Overview

This self-repair skill is not clearly malicious, but it encourages automatic host-level changes without enough scoping or user control.

Install only if you are comfortable reviewing and constraining the repair workflow yourself. Disable automatic fixes by default, require confirmation for package installs, service restarts, cache deletion, and config edits, and treat error logs as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a true vulnerability because the skill's safety note claims repairs are limited to the workspace, but the documented implementation performs actions outside that boundary: global package installation via pip3, service restart, and deletion of cache under ~/.openclaw. That mismatch can cause operators or downstream agents to trust the skill with broader permissions than intended, increasing the chance of unsafe automated changes to the host environment.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true vulnerability because the skill promises logging and rollback, yet the shown implementation does not log repair actions or create backups sufficient for rollback. In an automatic self-repair system, missing auditability and recovery mechanisms make destructive or incorrect fixes harder to detect, investigate, and undo.

Missing User Warnings

High
Confidence
96% confidence
Finding
This is a true vulnerability because the skill markets fully automatic repair with no manual intervention while later including potentially dangerous host-level actions such as dependency installation, service restart, and cache deletion. In the context of an agent skill, that framing makes the behavior more dangerous because it encourages autonomous execution of impactful operations without informed consent or approval gates.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal