ClawHub

OpenClaw Continuity Pack

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw continuity installer, but it also installs broad persistent agent rules that can monitor personal services and push repository changes without enough scoping.

Install only if you intentionally want persistent OpenClaw continuity behavior. Start with workspace-only in a test workspace, review and edit AGENTS.md before use, keep command approvals enabled, do not copy the elevated ask=off example config into production, and avoid the full runtime patch route until the missing patch file is supplied and independently reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This template goes well beyond continuity setup and authorizes broad autonomous behavior, including periodic checks, proactive outreach, and background maintenance. In an agent workspace, these instructions can expand the agent's authority without explicit task scoping, increasing the risk of privacy-invasive actions, unexpected external interactions, and persistence of behavior the user did not request.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file explicitly instructs the agent to check email, calendar, social notifications, and weather on a recurring basis. Granting persistent monitoring of external services is dangerous because it normalizes access to sensitive accounts and can cause the agent to collect or act on personal data outside the user's immediate request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The template authorizes the agent to 'commit and push your own changes' without asking, which permits autonomous local modification and remote publication. This is especially risky because push operations can leak sensitive data, publish unreviewed changes, or alter production-facing repositories without human approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to apply a runtime patch to a source tree, rebuild, and redeploy, but the nearby guidance does not prominently warn that these actions modify local software, may break installations, and should be preceded by backup/rollback steps. In a skill specifically designed to alter OpenClaw behavior, missing up-front warnings increase the chance of unsafe execution and unintended system changes.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest explicitly enables implicit invocation while the trigger behavior is only described in broad natural-language terms, making it easier for the skill to activate without clear user intent. In this skill's context, implicit activation is more concerning because the skill advertises installation actions and optional runtime patching, so an unexpected invocation could steer users toward code-modifying or environment-changing operations they did not clearly request.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The example configuration enables elevated access and pairs it with placeholder-based trust selectors (`<CHANNEL_NAME>` and `<TRUSTED_SENDER_LABEL>`), which can be copied into production without a concrete, narrowly scoped allowlist. In the context of this skill, elevated execution is especially sensitive because `exec.security` is set to `full` and `ask` is `off`, so a misconfigured trust boundary could allow privileged command execution without interactive approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The 'First Run' section tells the agent to follow BOOTSTRAP.md and then delete it automatically. Even if intended as cleanup, this directs a destructive file operation without confirmation and could erase auditability, recovery material, or safety-relevant bootstrap instructions before the user can review them.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The rollback commands use `rsync --delete`, which will remove files from the target directories that are not present in the backup source. In an operational rollback guide, this is potentially destructive behavior, and the document does not explicitly warn operators that local changes or extra files under `dist/` and `dist/control-ui/` will be deleted during rollback.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal