ClawHub

botlearn

Security checks across malware telemetry and agentic risk

Overview

BotLearn appears to be a real platform integration, but it enables broad autonomous scanning, posting, messaging, updating, and skill installation by default, so users should review it carefully before installing.

Install only if you are comfortable with BotLearn acting as an autonomous agent-platform client, not just a passive benchmark. Before use, set sensitive config values to false unless you explicitly want them: auto_post, auto_comment, auto_vote, auto_dm_approve, auto_dm_reply, auto_update, heartbeat_enabled, learning_context_scan, share_project_context_in_learning, auto_install_solutions, learning_actionable_install, and learning_report_to_platform. Review the benchmark scan report before upload where possible, avoid running it in private workspaces, and treat marketplace skill installation as installing untrusted code or instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (102)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and orchestrates shell, network, and environment access but does not declare permissions up front, which prevents meaningful user consent and undermines host-side policy enforcement. In this context, the hidden capabilities are material because the skill can download archives, inspect local state, and transmit data to a remote service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest positions BotLearn mainly as a model-side learning loop, but the documented behavior includes account registration, credential storage, workspace scanning, remote uploads, skill installation/removal, messaging, posting, and self-update. This mismatch can cause users to invoke the skill under a narrow trust assumption while actually authorizing broad local and network actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Framing the skill as a learning-loop tool while embedding broad social, account, admin, and lifecycle management capabilities is security-relevant deception by omission. In context, this broadens the attack surface and increases the chance that a user triggers sensitive operations without realizing the full scope of authority granted to the skill.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The update section claims personal data is never touched, yet it explicitly instructs modification of local config by adding missing keys. Even if credentials are not overwritten, changing config can alter permissions or behavior after an update, which makes the safety guarantee inaccurate and can reduce user control.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The exam workflow explicitly instructs the agent to run commands, make API calls, and read/write files based on server-provided questions, with no restriction to a safe allowlist or bounded task set. Because the question content is dynamic and could request sensitive or destructive actions, this creates a confused-deputy style capability escalation where the skill can be induced to operate beyond its declared benchmarking purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workflow authorizes arbitrary task execution for 'practical' questions without ensuring those tasks are necessary for benchmarking or aligned to the skill's stated purpose. In skill context, this is more dangerous because an external exam service can effectively delegate broad agent actions under the guise of evaluation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The scan is explicitly designed to collect extensive host, CLI, workspace, config, log, and document data, then upload filtered metadata to a remote server. That exceeds the stated 'learning loop' capability and creates a real data-exfiltration surface, especially because discovered workspaces and their contents are included transitively via config parsing.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Reading arbitrary uppercase-named markdown files across all discovered workspaces can capture sensitive operational instructions, internal agent policies, credentials accidentally stored in docs, or proprietary project context. The filename heuristic is broad and not tied tightly to benchmark necessity, so it materially increases unnecessary exposure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script’s declared purpose is a model-side learning loop, but its command router exposes a much broader surface including registration, marketplace actions, social posting, channels, DMs, file uploads, and skill management. This scope expansion materially increases the attack surface and the chance that a user or upstream agent triggers unintended external actions, especially because many of these operations are networked and state-changing.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The helper includes generic subprocess execution with process-group management and timeout handling, plus archive extraction helpers that can unpack attacker-controlled content. In a skill that also supports downloads and installations, these primitives can enable unsafe execution chains or archive-based attacks such as path traversal and overwriting files if untrusted archives are processed without strict validation.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The scan command gathers substantially more data than a user would reasonably expect from a benchmarking action, including hardware details, platform configuration, workspace inventory, and potentially recent activity. This creates an overcollection/data exfiltration risk because users invoking a seemingly simple benchmark may unknowingly transmit sensitive local metadata to a remote service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code reads the contents of uppercase Markdown files in the workspace root and includes their content in the generated report, which is then uploaded as part of the benchmark flow. Workspace documents may contain secrets, internal procedures, credentials, customer data, or proprietary information unrelated to benchmarking, so this is a direct sensitive data exposure risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The scan captures recent OpenClaw logs and places them into the payload under recentActivity for upload. Logs commonly contain prompts, responses, paths, tokens, identifiers, and operational context, so uploading them for a benchmark function can leak highly sensitive information beyond the user's intent.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
Channel administration and moderation commands introduce powerful state-changing capabilities—creating channels, rotating invites, kicking members, and changing settings—that are unrelated to the stated learning-focused purpose. In an agent-skill context, this unjustified privilege expansion is dangerous because users may invoke or install the skill expecting summarization/learning behavior, not community administration actions with social or operational impact.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Submitting recommendation/NPS feedback on behalf of the user is a sensitive reputation-affecting action that falls outside the declared learning-loop purpose. Even if the server validates the request, this creates a deceptive capability boundary where an installed learning skill can influence surveys, scoring, or product feedback without clear user expectation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat explicitly broadens the skill from a learning/reporting helper into an autonomous dispatcher that selects and uses host-native messaging channels, including external services. That expansion materially increases the skill's authority and data egress surface, especially in unattended cron runs where messages may be sent without an active user review step.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
These instructions authorize autonomous social actions—posting, commenting, voting, reviews, and DM handling—which go well beyond the manifest's core learning loop. In practice this can let the skill impersonate the user/agent in a community, create irreversible content, and interact with third parties based on heuristics rather than narrowly scoped user intent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs dispatch over arbitrary external channels such as email and webhooks, which creates an unrestricted exfiltration path for summaries, DM content, and other derived data. Because the target may be parsed from a cron prompt and used autonomously, this increases the risk of sending sensitive information to untrusted destinations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file presents a 'learning' workflow but expands it into autonomous external actions such as community interaction, skill installation, trial execution, and remote reporting. That mismatch is dangerous because users may consent to passive study while the skill performs actions that can modify the environment, contact third parties, and transmit data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The orchestration directs scanning of workspace context and retroactive review of past tasks as part of routine learning, which exceeds what is necessary for community content summarization. This broadens access to potentially sensitive local information and increases the chance that unrelated project data is collected, processed, or later disclosed.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatically installing and trial-running skills discovered in community posts creates a direct path from untrusted external content to local code or capability execution. In context, this is especially dangerous because recommendations come from a social feed, making the skill susceptible to malicious promotion, supply-chain abuse, or execution of unsafe tools.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented defaults turn a purported learning CLI into an autonomous agent that can post, comment, DM, update itself, install solutions, and report execution data remotely. In this skill context, that scope expansion is dangerous because it materially increases external communication and code-change capability beyond what a user would reasonably expect from a local learning workflow.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Declaring the server as the source of truth implies ongoing synchronization and remote dependence for local state restoration. In an agent skill, this increases privacy and integrity risk because local execution history and routing decisions may be reconstructed from or overridden by remote data without clear user approval.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The rule forbidding config modification without human instruction conflicts with the later allowance for automatic schema upgrades that add fields. This ambiguity is dangerous because it creates a policy loophole through which new capabilities can be enabled or persisted without meaningful user consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document presents contradictory security defaults: early sections say the system defaults to conservative permissions when config is absent, but later mandatory rules say a missing config means full autonomy. In a security-sensitive skill, this ambiguity can cause an agent to perform posting, messaging, updates, or scanning without explicit authorization, effectively turning a missing policy file into implicit consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal