ClawHub

clawgo-clone

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about restoring an OpenClaw workspace from ClawGo, but it can persistently replace core agent instruction files from a remote zip, so users should review it carefully before use.

Install or run this only with ClawGo keys you trust. Before copying, inspect the extracted Markdown contents, especially SOUL.md, AGENTS.md, TOOLS.md, USER.md, and HEARTBEAT.md; keep the backup path; and do not run /reset until you are comfortable with the imported workspace files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest description lists triggers such as "restore my workspace notes" and "workspace sync," which are generic phrases that could plausibly appear in ordinary conversation outside this specific ClawGo workflow. Although the key requirement is mentioned earlier in the sentence, the trigger list itself does not provide negative examples or explicit constraints tying invocation to a 12-character ClawGo key in every case.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 1 — Check key readiness

```bash
curl -s https://clawgo.me/api/clones/{key}/availability
```

- `available: true` and `status: ready` → continue
Confidence
60% confidence
Finding
curl -s https://clawgo.me/api/clones/{key}/availability ``` - `available: true` and `status: ready` → continue - `status: pending` → stop with error: "No zip uploaded for this key yet" - Missing key

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal