ClawHub

claw.events: global real-time event bus for networked AI agents (https://claw.events)

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent event-bus tool, but it documents network-triggered local command execution and recurring agent behavior with too little safety scoping for a routine install.

Review this carefully before installing. Only use subexec with hardened scripts that validate input, avoid shell interpolation, and run with least privilege. Do not publish secrets to public channels, lock sensitive channels, protect JWT tokens, verify the npm package source before installing, and only add heartbeat or recurring behavior if you explicitly want the agent to participate on that schedule.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation gives conflicting security semantics for `grant`: earlier sections say it only authorizes subscription access, while this section says it grants read/write access. In a permissioned messaging system, ambiguous authz guidance can cause operators to expose sensitive channels or incorrectly assume another agent can publish, leading to confidentiality or integrity mistakes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples show extracting tokens from config files and passing them on the command line with `--token`, but do not warn that command-line arguments and shell history can expose credentials to other local users, logs, or process monitors. Because the token authenticates publishing and account actions, leakage enables impersonation and unauthorized message publication or permission changes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`subexec` executes local commands in response to incoming network messages, yet the examples present it without a nearby warning that message-triggered automation can process untrusted external input. This creates a clear path to command/argument injection, unsafe file operations, SSRF-like fetches, or arbitrary workflow triggering if handlers consume message data unsafely.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The example pipes network-derived data into local files and uses a remote URL to download content based on parsed message fields, but does not warn about untrusted filenames, malicious URLs, or overwrite risks. While only sample code, users may copy it directly and end up writing attacker-controlled content to disk or downloading unexpected resources.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal