ClawHub

Skill Discovery

Security checks across malware telemetry and agentic risk

Overview

This skill can help find skills, but it also has paths that can install or remove global skills without a built-in confirmation step, and its documentation is inconsistent about that behavior.

Install only if you are comfortable with a skill that searches external registries and can install or remove global skills through its CLI/API. Prefer using the OpenClaw hook or --dry-run recommendation mode, review the exact skill name and source before installing, and avoid unattended install/remove paths unless you fully trust the caller and registry results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The manifest declares no permissions, but the documented behavior explicitly depends on environment variables such as OPENCLAW_DIR and likely broader env access for external CLI execution. This creates a transparency and review gap: operators may approve the skill believing it has narrower capabilities than it actually uses, which can lead to unintended access to filesystem paths or inherited secrets from the environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented primarily as discovery/recommendation with user-confirmed install, but the documentation also admits it can perform real installation when dryRun=false, uninstall skills, create backup copies, clean local trash, persist logs, and invoke multiple external commands/services. This mismatch is dangerous because users and reviewers may grant trust based on a narrower purpose statement while the skill actually has materially broader system-modifying behavior.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README says the skill will recommend the best match and then install it after user confirmation, but the documented behavior elsewhere says it automatically installs matching skills. This mismatch is security-relevant because users may rely on the safer description while the actual behavior performs package installation and environment modification without explicit approval.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The roadmap states that an interactive confirmation/approval flow is only planned for the future, which contradicts earlier text implying confirmation already occurs. For a skill that installs third-party components, contradictory security documentation can mislead users and operators into granting trust they would not otherwise give.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The documentation frames the skill as recommendation/install-oriented, yet also documents persistent local logging and uninstall-related backup behavior. While not inherently malicious, these hidden side effects expand data retention and filesystem impact beyond what a user would reasonably expect from a discovery skill.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
A discovery/recommendation/install skill does not need uninstall-backup capability to fulfill its stated purpose, so including it unnecessarily broadens filesystem access and artifact retention. Extra stateful capabilities increase attack surface and can preserve sensitive or untrusted skill contents locally even after removal.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code path in autoDiscover defaults to dryRun=true only when no options are supplied, but resolveInstall explicitly performs installation whenever dryRun is false and there is no user confirmation gate in this file. That means a caller can trigger search, selection, and installation in one flow, which contradicts the stated product behavior of recommending first and installing only after user approval; installing third-party skills is security-sensitive because it expands code and capability trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The hook implements destructive lifecycle operations (`safeRemove`) and filesystem cleanup (`cleanTrash`) that exceed the declared discovery/recommendation scope. In an agent-skill context, undocumented uninstall and deletion capabilities enlarge the attack surface and can be invoked by other components or future code paths, enabling unauthorized removal of installed skills or deletion of backup data.

Intent-Code Divergence

Medium
Confidence
75% confidence
Finding
`generatePrompt` can tell the user a skill was 'automatically installed' even though the surrounding hook logic states recommendation mode should not auto-install. This inconsistency can mislead users about what actions were taken and erode consent boundaries, making social-engineering or unauthorized-install flows easier to hide.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it is for discovery and recommendation with user confirmation before installation, but this file also exposes direct removal and update capabilities. Expanding functionality beyond the declared scope increases the risk that an upstream agent or workflow invokes destructive package-management actions without the user expecting them.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
This code wraps subprocess-based package management commands such as add, remove, check, and update, which materially exceed a discovery/recommendation-only skill. Even though shell escaping is used, the security issue is excessive capability: an agent integrating this skill could modify the local environment, uninstall tools, or update packages in ways the user did not authorize.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases include broad patterns like '帮我...' and '怎么...' that are common in ordinary conversation, increasing the chance that the skill auto-invokes on unrelated user input. In this skill's context, unintended invocation is especially dangerous because invocation can lead to searching for and installing external skills, causing unplanned code introduction into the environment.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README repeatedly describes automatic installation of skills in response to user requests without a clear requirement for confirmation before modifying the system. Automatically installing third-party skills from search results creates a supply-chain and unauthorized-change risk, especially when the search source is external and matching is based on inferred intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation criteria are broad enough to match ordinary requests for help, such as deployment or testing, which can cause the skill to trigger when the user did not actually ask to discover or install a skill. In this context, unintended invocation is more dangerous because the skill can search external registries, write logs, and potentially install software when not carefully gated.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Example phrases like '怎么写测试' and 'help me with testing' are generic requests for assistance, not clear consent to invoke a discovery/install mechanism. Because this skill reaches external registries and supports installation flows, overly generic trigger examples materially raise the risk of accidental activation and downstream side effects.

Missing User Warnings

High
Confidence
97% confidence
Finding
The installation branch calls clawhubAdd or skillsAdd with no interactive confirmation check in this module, and for skillsAdd it even passes yes: true, suppressing prompts. In a skill-discovery context, this is especially dangerous because search results may include third-party packages from external sources, so automatic installation can lead to unintended execution of unreviewed code or supply-chain exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The package description advertises automatic discovery and installation of skills based on generic user intent, which creates an overly broad invocation and trust boundary. In a skill marketplace or agent environment, this can cause the component to activate in many unrelated contexts and steer users toward installation of code they did not explicitly request, increasing the risk of unsafe or malicious skill acquisition.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The removal function defaults to global=true and yes=true, causing non-interactive deletion of skills without any built-in confirmation prompt. In an agent setting, this is dangerous because a mistaken or manipulated call can silently uninstall components from the environment, directly conflicting with the stated user-confirmation workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal