ClawHub

Evomasterscheduler

Security checks across malware telemetry and agentic risk

Overview

This maintenance scheduler appears purpose-built rather than malicious, but it installs persistent jobs that can copy secrets, mutate workspace state, delete logs, and send operational details to Slack without enough scoping or user control.

Install only if you intentionally want persistent daily OpenClaw maintenance automation. Before use, review every script, disable or minimize Slack notifications, exclude or encrypt .env and config backups, replace git add . with a narrow allowlist, inspect the referenced local helper scripts, and make sure you have a clear way to remove the cron jobs and restore changed state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script states that cron removal requires user approval and is only being marked, but it proceeds to make operational changes by creating seven new scheduled tasks. This mismatch between comments/logging and actual behavior is dangerous because it can mislead reviewers or users about the extent of system changes, causing unauthorized persistence and automated execution of maintenance, upgrade, or security scripts without explicit confirmation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Slack message asserts that file permissions, gateway binding, and credential exposure checks were verified even though the script does not actually perform those validations. This creates a false sense of security and can cause operators to miss real security regressions because the notification reports success regardless of what the audit actually checked.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly describes automated remediation, cleanup, upgrades, backups, security actions, and crontab synchronization, all of which can modify system state or persistence without any warning, confirmation, scope limitation, or rollback guidance. In an agent skill context, unattended scheduled changes are especially risky because they can alter configuration, permissions, software versions, and persistence mechanisms in ways that could disrupt the host or be abused for unauthorized privileged actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script backs up sensitive files including `openclaw.json` and especially `.env`, which commonly contain API keys, tokens, and secrets, into a general backup directory with no access-control hardening, encryption, or user notice. This creates a clear credential exposure risk if the backup location is readable by other users, synced elsewhere, or later exfiltrated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script recursively copies the full workspace and then performs `git add . && git commit`, which can persist sensitive or unintended files into version control without review. In an automated cron context, this is more dangerous because it happens silently and repeatedly, increasing the chance of committing secrets, generated artifacts, or private data.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The Slack notification sends operational metadata such as backup path, timestamps, and log file location to an external service. While it does not directly send file contents here, these details can aid reconnaissance, reveal filesystem layout, and leak internal operational habits to anyone with access to the Slack channel or integrations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits operational data, including log path, execution time, and error/warning counts, to Slack via an external notification script without any evident consent, disclosure, or data-minimization controls. Even though the payload is limited, external transmission can expose internal system metadata and normalize outbound data flows from an agent skill, which becomes more dangerous in autonomous or scheduled execution contexts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends operational details to Slack, including the local log file path and confirmation of maintenance activity, which constitutes external transmission to a third-party service. In a security-sensitive agent environment, even modest metadata about filesystem layout, schedules, and maintenance operations can aid reconnaissance or leak internal operational details to unintended recipients if the Slack integration or channel is misconfigured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal