ClawHub

Idea Storm

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent automation purpose, but it gives a sandboxed coding agent broad authority with real credentials and weak user-facing safeguards.

Review before installing. Use only disposable or tightly scoped model and Notion tokens, verify or rebuild the Docker image yourself, avoid sensitive experiment content, and require explicit approval before running the sandbox or syncing to Notion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to read host-level API credentials from /root/.openclaw/openclaw.json and inject them into a container environment. That creates a secret-exfiltration and privilege-boundary violation risk, because a skill framed as an experiment workflow should not independently harvest sensitive host credentials and forward them to subprocesses or external services.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Using Claude Code with --dangerously-skip-permissions removes an important safety gate and allows broad autonomous actions inside the container. Even with containerization, the mounted experiment directory and injected credentials mean unrestricted code can tamper with files, leak data, or perform unintended network actions beyond the intended research/design loop.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script launches Claude with `--dangerously-skip-permissions`, explicitly disabling an important safety boundary and granting the model unrestricted in-container actions. In the context of an autonomous experimentation skill, this materially increases the chance that prompt-driven or malicious inputs can cause destructive file changes, secret harvesting, or unexpected command execution inside the mounted workspace.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads API credentials from a global OpenClaw configuration and injects them into the container as environment variables, exposing them to any process the agent starts in the sandbox. Because the skill is designed to automate open-ended research and iteration, this creates a path for prompt-influenced code or tools to exfiltrate the platform token or misuse the backend service outside the experiment's intended scope.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases like '实验一下' or '帮我验证' can cause accidental invocation during ordinary conversation. Because this skill performs file writes, spawning, command execution, and external-service interactions, accidental activation materially increases the chance of unintended high-impact actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description covers high-impact operations such as writing files, updating Notion, executing commands, and reading configuration, but it does not present a clear, centralized risk disclosure. Without explicit warning, users may not understand that enabling the skill allows persistent state changes and potentially sensitive automation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly extracts local API credentials and injects them into a container, yet does not clearly warn the user that secrets will be accessed and potentially used for external service calls. This lack of disclosure is especially dangerous because the accessed file is host-global and likely contains sensitive provider credentials unrelated to the current task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to configure a live Notion API token and says the skill will automatically use those variables to operate on Notion, but it does not clearly warn that this enables authenticated remote writes to a third-party service. That omission increases the chance of accidental over-sharing, misuse of a broadly scoped token, or unintended exfiltration of experiment content into Notion.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Changing the experiment directory to mode `777` makes it world-readable and world-writable on the host, broadening access far beyond the container user compatibility issue it is trying to solve. This weakens filesystem integrity and confidentiality, especially on multi-user systems or shared environments, and does so silently without informing the user of the security tradeoff.

Missing User Warnings

High
Confidence
97% confidence
Finding
The command line enables a dangerous permission bypass for Claude without any explicit warning, consent gate, or narrowing of capabilities. In a skill that accepts user-provided experiment prompts, this makes prompt injection and unsafe autonomous behavior more dangerous because the model can act without normal interactive checks.

External Transmission

Medium
Category
Data Exfiltration
Content
创建页面:
```bash
curl -X POST 'https://api.notion.com/v1/pages' \
  -H 'Authorization: Bearer $NOTION_TOKEN' \
  -H 'Content-Type: application/json' \
  -H 'Notion-Version: 2022-06-28' \
Confidence
90% confidence
Finding
curl -X POST 'https://api.notion.com/v1/pages' \ -H 'Authorization: Bearer $NOTION_TOKEN' \ -H 'Content-Type: application/json' \ -H 'Notion-Version: 2022-06-28' \ -d '{ "parent": { "datab

External Transmission

Medium
Category
Data Exfiltration
Content
创建页面:
```bash
curl -X POST 'https://api.notion.com/v1/pages' \
  -H 'Authorization: Bearer $NOTION_TOKEN' \
  -H 'Content-Type: application/json' \
  -H 'Notion-Version: 2022-06-28' \
Confidence
90% confidence
Finding
https://api.notion.com/

External Transmission

Medium
Category
Data Exfiltration
Content
追加内容块:
```bash
curl -X PATCH 'https://api.notion.com/v1/blocks/$PAGE_ID/children' \
  -H 'Authorization: Bearer $NOTION_TOKEN' \
  -H 'Content-Type: application/json' \
  -H 'Notion-Version: 2022-06-28' \
Confidence
88% confidence
Finding
https://api.notion.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal