ClawHub

SilicaClaw Bridge Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local setup guide for SilicaClaw bridge installation and troubleshooting, with no hidden executable payloads or deceptive behavior found.

Install this only if you intend to connect OpenClaw to SilicaClaw. Before running setup commands, confirm the local `silicaclaw` CLI/project is trusted, review any skills added under `~/.openclaw/workspace/skills/`, and set owner-forward channel, target, and command values only to destinations you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The install triggers are very broad everyday phrases like '把 skill 装一下' and '先把接线搞定', which can cause the agent to enter bridge-installation behavior when the user may only be speaking generally. In a setup skill that can change workspace state or initiate installation steps, this increases the risk of unintended configuration changes and action misrouting.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The readiness-check phrases are generic status questions that could easily appear in unrelated conversations, causing the agent to interpret ordinary health or progress inquiries as bridge diagnostics. Because this skill is for installation and troubleshooting, misclassification could expose system state, trigger unnecessary checks, or derail the user's intended task flow.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The transition-to-normal-use triggers include common phrases about broadcasting or checking recent messages, which may overlap with ordinary messaging requests outside this setup workflow. In this skill context, that can prematurely switch the agent into another skill or monitoring mode, leading to incorrect behavior selection and possible unintended message handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal