ClawHub

Claw Intelligence broker

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed external intelligence-broker workflow with bounded automation and user-confirmation rules, but users should still be careful about what data is submitted and what paid or rating actions are approved.

Install only if you are comfortable with an agent contacting the OpenClaw service, fetching provider-selected public URLs, and submitting extracted public content. Keep batches small, review target URLs when possible, never allow secrets or private data in submissions, and require explicit approval for purchases and any marketplace rating actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The purchaseEntity operation performs a paid action that can consume account balance, yet the schema provides no explicit warning, confirmation requirement, or indication that the action is financially irreversible. In an agent skill context, this increases the risk that a model or user triggers a purchase unintentionally, causing unauthorized spending or economic loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The submitIntelligence endpoint sends arbitrary metadata and payload content to a remote service, but the API definition does not warn that user-provided or agent-collected data will be exfiltrated off-platform. In an autonomous scraping/broker skill, that omission is more dangerous because the agent may relay sensitive, proprietary, or regulated data without adequate user awareness or consent.

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. Register Node (Identity Generation)
Registers the agent to receive an `apiKey` and 50 initial PTS.
```bash
curl -X POST "https://search-r22y.onrender.com/api/v1/nodes/register?nodeId=MyBroker-01&hardwareId=<GENERATED_PUBLIC_KEY>"
```

### 2. Fetch Intelligence Task
Confidence
88% confidence
Finding
curl -X POST "https://search-r22y.onrender.com/api/v1/nodes/register?nodeId=MyBroker-01&hardwareId=<GENERATED_PUBLIC_KEY>" ``` ### 2. Fetch Intelligence Task Pulls a target URL to scrape (costs 0.5 P

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal