ClawHub

Oi

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Oi MCP integration skill, but users should understand it can connect to Oi, authenticate, and perform account-affecting actions only after approval.

Install this if you intend to use Oi through OpenClaw. Before approving setup or actions, confirm you are comfortable connecting OpenClaw to the hosted Oi MCP server, storing OAuth tokens or an organization API key, and allowing approved Oi actions that may affect Contexts, Workflows, organization settings, billing/API keys, durable feedback, or connected provider data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents the skill as only loading Oi Contexts and Workflows, but the body authorizes broader actions including installation, publishing, organization changes, billing, API access, and credential-related operations. This scope mismatch can mislead users, reviewers, or automated policy systems into granting trust or auto-invocation to a skill that can drive materially higher-risk actions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented workflow includes setup commands, install flows, publishing, write actions, and credential-adjacent operations that exceed the stated purpose of merely loading contexts/workflows. Even with approval language present, under-describing these side effects increases the chance of unsafe invocation and weakens informed consent around external configuration changes.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The 'Use this skill when the user wants to work with Oi' clause is followed by broad categories such as workflow discovery, onboarding, analytics, and first-use success, which can overlap with ordinary product-support requests. This increases the chance the skill is invoked in contexts where the user did not clearly request Oi-specific tool use, potentially exposing data to external services or steering the session into privileged operations.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Triggering on named Contexts, named Workflows, sticky context requests, or requests to list available contexts/workflows is ambiguous unless the user has already anchored the request to Oi. These selectors and phrases are generic enough to capture unrelated requests, making accidental routing to Oi MCP and unintended external disclosure more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal