ClawHub

agentauth

Security checks across malware telemetry and agentic risk

Overview

AgentAuth is mostly transparent about being a passkey approval gate, but it gives the skill broad local command-execution and persistent agent-configuration authority that users should review carefully.

Install only if you intentionally want AgentAuth to mediate and execute dangerous local commands after passkey approval. Before using it, make sure approvers can see the real command they are approving, treat display text as potentially incomplete, protect ~/.openclaw/.env, and review the AGENTS.md changes and cleanup behavior. Avoid passing commands built from untrusted text or prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The approval flow does not merely obtain or attest user consent; after approval it directly executes the supplied `toolCall` via a shell command executor. That makes the skill an arbitrary command runner behind a remote approval step, which is much more dangerous than the manifest claims and expands compromise impact to full local code execution if the gated command is attacker-influenced.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`CommandExecutor.execute()` uses `child_process.exec(command)`, which runs an arbitrary string through the system shell. In this skill, that capability is unrelated to a minimal authorization gate and enables shell metacharacter abuse, command chaining, and full command execution with the agent's privileges.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The onboarding and cleanup paths persist credentials to `~/.openclaw/.env` and modify `workspace/AGENTS.md`, meaning the skill changes agent configuration and prompt behavior beyond simple passkey authorization. Because the skill advertises itself as a protective gate, these persistent mutations materially increase trust and persistence risk if the skill or its service is compromised.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The CLI help explicitly describes `toolCall` as 'the exact dangerous command or tool call that would be executed', aligning the product with execution of approved commands rather than approval-only gating. This confirms the unsafe design and can mislead integrators into passing raw destructive shell commands into the skill.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code writes API credentials into the user's persistent OpenClaw `.env` file during onboarding without an explicit warning at the write point or any hardened storage mechanism. If local files are later exposed, backed up insecurely, or read by other tools, these credentials can be recovered and abused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
`updateAgentMarkdown()` mutates `AGENTS.md` on disk by inserting persistent behavioral instructions, including hidden HTML-comment markers and security policy text, without a direct explicit warning at the mutation site. This changes future agent behavior and creates prompt persistence, which is especially sensitive in a skill that claims to defend against prompt bypass.

Missing User Warnings

High
Confidence
98% confidence
Finding
The execution path runs shell commands without any immediate user-facing disclosure at the moment of execution beyond whatever approval text was previously shown. If the displayed description differs from the actual raw command or is attacker-crafted, users may approve one thing while the agent executes another destructive command.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal