ClawHub

Behavior Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill openly performs local conversation-derived behavior tracking and report generation, with privacy caveats but no evidence of hidden exfiltration, destructive behavior, or unrelated privilege use.

Install only if you want local conversation-derived behavior tracking. Review the OpenClaw workspace memory directory before use, avoid enabling cron or heartbeat automation unless you are comfortable with ongoing analysis, and delete the generated behavior files if you later want to remove the profile.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'BEHAVIOR_FILE' from os.environ.get (line 16, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""保存行为数据"""
    data["last_updated"] = datetime.now().isoformat()
    BEHAVIOR_FILE.parent.mkdir(parents=True, exist_ok=True)
    with open(BEHAVIOR_FILE, 'w') as f:
        json.dump(data, f, indent=2, ensure_ascii=False)

def extract_from_memory(date_str=None):
Confidence
91% confidence
Finding
with open(BEHAVIOR_FILE, 'w') as f:

Tainted flow: 'report_file' from os.environ.get (line 194, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 3. 生成报告
    report = generate_report(analysis, data)
    report_file = MEMORY_DIR / "behavior-report.md"
    with open(report_file, 'w') as f:
        f.write(report)
    
    print(f"[{datetime.now()}] ✅ 分析完成!")
Confidence
90% confidence
Finding
with open(report_file, 'w') as f:

Tainted flow: 'BEHAVIOR_FILE' from os.environ.get (line 13, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
return {"topics": {}, "projects": {}, "skills": {}}

def save_data(data):
    with open(BEHAVIOR_FILE, 'w') as f:
        json.dump(data, f, indent=2, ensure_ascii=False)

def record(topic=None, project=None, skill=None, note=None):
Confidence
87% confidence
Finding
with open(BEHAVIOR_FILE, 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises automatic recording and analysis, and the detected capabilities include environment access plus file read/write, but no permissions are declared to inform or constrain that behavior. This creates a transparency and consent gap: a user or hosting platform cannot easily assess that the skill may persistently read local data and write profiling artifacts, which increases privacy and data-handling risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose suggests conversation-based behavior analysis, but the observed behavior extends to parsing local memory/workspace files, persisting reports, and exposing manual recording functions. That mismatch is dangerous because users may consent to one class of processing while the skill actually performs broader collection and persistence, enabling unexpected surveillance or data exposure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description says it records and analyzes behavior patterns, but the implementation also persists derived long-term profiles to disk, creating a durable behavioral dataset beyond transient analysis. In a conversation-analysis context, silent retention of derived profiling data increases privacy risk and broadens the data processing surface beyond what many users would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
Generating a standalone behavior-report.md file creates an additional persistent artifact containing behavioral summaries, which materially expands the skill's data handling beyond simple recording/analysis. In this skill context, that report may expose sensitive inferences about the user and increases the number of locations where profiling data can be accessed or leaked.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger condition 'Auto call after each important conversation' is undefined and overly broad, which can cause the skill to run on far more interactions than a user expects. In a profiling skill, ambiguous automation increases the likelihood of silent collection of sensitive or irrelevant conversational data without clear user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill describes automatic recording and behavior analysis but does not warn users that it performs behavioral profiling or persistent storage-related actions. For a tool centered on tracking habits, interests, and active hours, missing disclosure undermines informed consent and materially increases privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads conversation memory files, extracts topics/projects/skills, and persistently stores behavioral profiles and reports without any disclosure, consent, or apparent user control. In a behavior-tracking skill, this context makes the issue more dangerous because it builds longitudinal user profiling from conversations, creating significant privacy and surveillance risk even without a conventional code-execution flaw.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists conversation-derived behavioral metadata to a local JSON file without any notice, consent, retention policy, or access controls. In the context of a skill explicitly tied to recording user behavior from conversations, silent retention increases privacy risk and can expose sensitive usage patterns to other local users, backups, or later compromise.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to automatically record and analyze user behavior patterns, yet it provides no clear scoping, minimization, or user-boundary rules. In context, that makes the data-collection risk more serious because profiling dimensions like interests, activity times, and learning habits can reveal sensitive personal patterns even without overtly secret content.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal