ClawHub

Openclaw Onboarding

Security checks across malware telemetry and agentic risk

Overview

This onboarding skill is documentation-only, but it teaches broad persistent memory, unreviewed skill installation, and group-chat processing without enough user control or privacy scoping.

Install only after reviewing the privacy and installation implications. Avoid saving secrets or sensitive personal/business data in memory, do not use confirmation-skipping install commands for new skills, and use chat-summary or document-export features only for conversations and destinations you are authorized to access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The training guide explicitly instructs the agent to install additional skills at runtime, including from search results, which expands privileges and behavior beyond the original reviewed scope. This creates a supply-chain and policy-bypass risk because newly installed skills may introduce unsafe actions, data access, or malicious instructions without prior review.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guide tells users the assistant can summarize group chats without being added to the chat, implying background access to collaboration data that may be private or unauthorized. Presenting this as normal use encourages processing of potentially sensitive communications without visible consent, membership, or authorization checks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README encourages users to store persistent memories and summarize group chats, but it does not disclose what data is collected, how long it is retained, who can access it, or whether consent is required from chat participants. This creates a real privacy and compliance risk because users may submit sensitive personal or third-party communications without understanding the handling boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automatic skill discovery and installation as a convenience feature without warning that it may fetch and install third-party capabilities with broad permissions or system effects. This is dangerous because it normalizes supply-chain risk and may lead users to authorize unreviewed code or powerful integrations without informed consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad everyday phrases such as “怎么使用” and “不会用”, which can match normal conversation and cause the skill to activate unexpectedly. In a skill that exposes memory, skill installation, and group-summary capabilities, accidental activation can lead to unintended actions, privacy surprises, or confusing behavior for users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises “永久保存” memory and direct group-chat summarization without warning users about data retention, consent, scope, or access boundaries. This is dangerous because users may disclose sensitive personal or third-party information without understanding it will be stored or analyzed, creating privacy, compliance, and trust risks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill's activation criteria are very broad and match common user intents such as asking how to do something or whether the agent can help with a task. In an agent system that auto-selects skills, this can cause the skill to trigger frequently and steer interactions toward package discovery or installation workflows when the user did not explicitly ask to modify the environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill recommends `npx skills add <owner/repo@skill> -g -y`, which performs a global installation and suppresses confirmation prompts without any safety warning. This increases the chance of silent system modification and makes it easier for an agent to install unreviewed third-party code from remote sources with insufficient user awareness.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The guide encourages activation from very generic everyday language, increasing the chance that normal conversation will trigger sensitive behaviors unintentionally. In this context, the triggered behavior is persistent storage of user-provided information, so accidental invocation can lead to privacy-impacting side effects without deliberate user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using a broad trigger like '记住XXX' for automatic permanent storage lacks contextual limits and confirmation, making it easy to capture sensitive information inadvertently. Because the skill writes to disk, ambiguous natural-language matching can convert casual conversation into persistent retention of personal or confidential data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow asks for personal information but does not upfront disclose that the responses will be written to a local file. That omission undermines informed consent and can cause users to reveal personal data they would not have shared had storage and retention been made explicit.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide presents automatic permanent storage as a convenience feature without any privacy warning, sensitivity guidance, or confirmation recommendation. This normalizes indiscriminate retention and increases the likelihood that secrets, personal data, or business-sensitive information will be stored locally without appropriate user awareness.

Missing User Warnings

High
Confidence
97% confidence
Finding
Group chat summarization is introduced without any warning that the agent may access, process, and retain potentially sensitive conversation data from collaboration systems. In this context, the missing privacy and authorization notice is especially dangerous because chat content often includes confidential business discussions and personal information of third parties.

Ssd 3

Medium
Confidence
94% confidence
Finding
The training flow explicitly encourages users to provide information for permanent retention in local files, establishing a pattern of persistent collection without meaningful minimization or sensitivity controls. This increases privacy risk and the blast radius of later compromise because more user data is accumulated by default.

Ssd 3

Medium
Confidence
93% confidence
Finding
The guide normalizes summarizing private group conversations and extracting action items as a standard workflow without visible consent checks or participant awareness. This can facilitate unauthorized surveillance-like processing of third-party communications and expose confidential organizational information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal