ClawHub

Model Alias Append

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it advertises: append model aliases to responses and monitor local OpenClaw config, with no evidence of exfiltration or deception.

Install only if you want model aliases appended to responses. Keep your OpenClaw config trusted, avoid instruction-like text in aliases, and do not reuse the sample 0.0.0.0 gateway bind on exposed networks unless you intentionally need remote access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The finding indicates the skill does more than passive response labeling: it can directly modify ~/.openclaw/openclaw.json to enable or disable a hook and expose administrative hook-management operations. That creates a significant trust boundary violation because a transparency-focused skill is unexpectedly changing persistent local configuration, which could be abused to alter agent behavior, enable unwanted hooks, or weaken user control over future executions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes capability to spawn a child process that enables or disables hooks via an external script, which exceeds the narrowly stated purpose of appending a model alias to responses. Even though the command arguments are fixed and there is no obvious command injection here, this still expands the skill's privilege surface into modifying runtime behavior, creating unnecessary risk if the skill is invoked in a broader automation context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The configuration binds the local gateway to 0.0.0.0, exposing it on all network interfaces rather than limiting it to localhost. For a skill whose purpose is only response-alias transparency, this broader network exposure is unnecessary and increases the attack surface by allowing other hosts to reach the service if firewalling is absent or misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal