ClawHub

cove

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real fact-checking skill, but it needs review because it can read broad local memory/workspace data and send verification context to configured external services.

Review before installing. Use it only if you are comfortable with OpenClaw memory and workspace content being used for verification and potentially sent to configured LLM, search, embedding, vector-store, or sidecar services. Keep document_paths empty or tightly scoped, disable web/vector features for sensitive work, and avoid using it around secrets, regulated data, or private conversations unless you have clear data-handling controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill's description frames it as simple fact-checking, but the documented behavior includes broad local data access, arbitrary text verification/correction, and transmission of verification context to external LLM providers. That mismatch is dangerous because users may invoke it expecting narrow verification while it can read sensitive workspace and memory content and send derived context off-device, increasing the risk of unintended data exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill accepts arbitrary paths from config.document_paths and reads either entire files or directory trees with path.resolve(), without restricting access to the OpenClaw workspace or an approved allowlist. In a fact-checking skill, this enables overbroad local file access and can pull unrelated sensitive files into model context, which may then be exposed in prompts, logs, or downstream responses.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes verification against memory, workspace files, vector stores, and optionally web search, but it does not clearly disclose that user data and model outputs may be sent to external services. This creates a privacy and data-governance risk because operators may enable the skill without understanding background data transmission and secondary processing.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README explicitly states the agent runs verification silently and the user never sees the process, which normalizes hidden background processing of user data. In this skill context, that is more dangerous because the plugin reads memory/workspace content and may contact external services, undermining informed consent, transparency, and potentially violating privacy policies.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that verification context may be sent to a configured LLM provider, but it does not prominently warn that workspace files, memory notes, and memory-database excerpts may leave the device during verification. In this context, the skill is specifically designed to inspect user knowledge sources, so weak disclosure materially increases the chance that sensitive business or personal data is transmitted to third parties without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation states that CoVe reads broadly from agent memory, workspace files, agent docs, and configurable custom paths, but it does not clearly warn users that potentially sensitive local data may be ingested and sent into LLM verification prompts. In a verification plugin, this materially increases privacy risk because users may enable or auto-run the tool without realizing the breadth of files being scanned.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents optional web search but does not prominently warn that enabling it may transmit user queries, extracted claims, or derived context to an external provider. Because this plugin is designed to fact-check user-facing responses, external search can expose sensitive or proprietary information if claims are built from private workspace or memory content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The loader automatically ingests memory flush files, memory database content, and workspace files into the knowledge context with no evidence of user-facing notice, consent, or minimization at this boundary. Even if intended for verification, silently collecting personal or task history data increases privacy risk and can surprise users when that information influences or leaks into model outputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code sends raw query text to two external services: the local embedding sidecar and the configured vector-store endpoint, without any disclosure, consent check, or data-classification guard. In a verification skill, queries may contain sensitive user prompts, private knowledge-base content, or memory-derived data, so this creates a real privacy and data-exposure risk, especially when the vector store is remote or uses plain HTTP.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends user responses, extracted claims, and assembled knowledge-base context to third-party LLM APIs when a provider key is configured. Because the knowledge context may include workspace, memory, vector-store results, and web-derived content, this creates a real data-exfiltration/privacy risk if sensitive or proprietary information is forwarded without explicit user consent, redaction, or provider restrictions.

Ssd 3

High
Confidence
96% confidence
Finding
This code aggregates broad content from memory, workspace, custom paths, and .openclaw root files into a single prompt-ready string capped only by size, not sensitivity or relevance. Because the skill's purpose is to feed this context to an LLM, any secrets, personal data, prior conversations, or unrelated documents collected here can be unintentionally disclosed, summarized, or echoed back, making the data-leakage risk concrete rather than theoretical.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal