ClawHub

OpenClaw Hook Development

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenClaw hook-development guide, but its examples can create persistent hooks that read local OpenClaw config and send Telegram notifications when enabled.

Install only if you intend to build or debug OpenClaw Gateway internal hooks. Before enabling any generated hook, review the JavaScript, confirm exactly which events it handles, which files it reads, what bootstrap context it injects, and where Telegram messages are sent; disable the hook when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header claims the hook only checks workspace state and sends a Telegram notification, but the code also modifies agent bootstrap state by injecting a virtual file. This mismatch is security-relevant because it hides a behavior that can influence agent prompts/context, reducing informed consent and making review harder.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook exfiltrates agent/workspace-related metadata to Telegram without any user-facing disclosure or consent flow. Even if the transmitted fields seem limited, they reveal operational details about agent usage and environment to an external third party service, which may violate privacy expectations or policy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code reads a bot token from a local OpenClaw config file and uses it for outbound communication without clear disclosure. Accessing locally stored credentials in a hook expands the trust boundary and can surprise users, especially when combined with network transmission behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal