ClawHub

MFA WORD

Security checks across malware telemetry and agentic risk

Overview

This skill appears locally contained and not malicious, but it presents itself as a security gate while relying on agent compliance and storing password-like material in lightly protected local files.

Install only if you understand this is an agent workflow guard, not real operating-system MFA or filesystem access control. Use unique high-entropy secret and reset words, do not reuse account passwords, and be aware it stores a local vault and audit log under ~/.openclaw that may be readable depending on system permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill appears to rely on environment-related capabilities without declaring them, which weakens transparency and permission review. In a security-themed skill that handles authentication state and secrets, undeclared capability use makes it harder for users and reviewers to understand what data the skill can access and increases the chance of unintended secret exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a gatekeeper for sensitive operations, but the described behavior indicates it only reports authentication status and stores MFA state, secrets, and logs persistently. This can create a false sense of protection: users or upstream agents may believe access is actually enforced when it is not, leading to sensitive actions proceeding without real mediation while additional secret material is collected and retained.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill does more than transiently challenge for a word: it persists authentication-related data and configuration to disk and creates a durable audit trail. Even though the stored values are hashed, this expands the attack surface by leaving recoverable security metadata on disk and creates privacy/security concerns not implied by the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The separate 'super secret' reset path introduces a second privileged credential and expands the trust boundary beyond simple access verification. This creates an additional avenue for compromise or misuse, especially since reset authority can silently replace the primary secret and is not clearly required for the advertised MFA-gating function.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill asks users to provide secret words and reset words through chat or tool inputs without warning that these credentials will be collected and processed. In context, this is especially risky because the skill also references persistent storage and audit logging, so users may unknowingly disclose authentication secrets into systems that retain or expose them.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill stores authentication material and recovery material on disk without warning the user. Even though only hashes are stored, offline guessing against weak secret words becomes possible if the file is exposed, and users are not informed that security-critical data is being persisted.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill records authentication events to a persistent logfile without informing the user. This can expose behavioral metadata such as authentication attempts and timing, creating privacy concerns and potential reconnaissance value if another local process or user can read the log.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal