ClawHub

Incident Response

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate incident-response skill, but it can run powerful remote recovery and persistent monitoring actions without enough built-in confirmation or scoping.

Install only for trusted agents with access to the intended OpenClaw host. Before allowing this skill to restore configs, restart services, delete or reset local state, edit agent rules, commit changes, change permissions, or create cron monitors, require an explicit review step, a narrow target host/scope, and a rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad phrases such as 'root cause', 'audit X', and 'something disappeared', which are common in ordinary troubleshooting conversations. This increases the chance of unintended invocation of an incident-response skill that is designed to perform investigative and restorative actions, potentially leading the agent toward sensitive system inspection or change-oriented workflows without explicit user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that the workflow includes restore, restart, chmod changes, cron scheduling, and persistent documentation writes, but it does not clearly warn users that the skill can alter system state and persistence. In context, this is more dangerous because the skill is framed as an operational incident-response tool, so users may invoke it during stressful outages and overlook that it can make impactful changes to production systems.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is unusually broad for a high-impact incident-response skill and includes generic phrases like "fix this," "investigate," and "audit," which can cause the skill to activate in unrelated contexts. Because the skill then directs an agent with exec access to inspect systems, restore configuration, and make persistent changes, unintended invocation can lead to unnecessary or unsafe actions on production systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prescribes configuration restores, service restarts, git commits, cron creation, and writes to persistent rule files without requiring explicit user consent at each modifying step. In an agentic environment, this can turn diagnosis into unauthorized remediation, create lasting system changes, and potentially overwrite valid state if the incident hypothesis is wrong.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The checklist documents a destructive remediation step (`rm ~/.openclaw/memory/AGENT.sqlite`) without any warning, backup guidance, or confirmation step. In an agent-facing troubleshooting skill, this increases the chance that an automated or hurried operator will delete persistent state and lose indexed data unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The session reset procedure renames the active session history file to recover from orphaned tool calls, but it does not warn that this effectively discards conversation state and may disrupt in-flight or future interactions. In a troubleshooting checklist intended for quick execution, omission of impact guidance makes accidental state loss more likely.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The template instructs monitoring to continue until the user says "good enough," which is a vague, everyday phrase that can be triggered accidentally, misinterpreted by an agent, or spoofed in unrelated conversation context. In a cron/incident-monitoring workflow, this ambiguity can cause premature termination of safety monitoring, reducing visibility into recurring incidents and allowing regressions to persist unnoticed.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases are broad enough to match routine troubleshooting requests like 'fix {thing}' or 'debug {thing}', which can invoke a powerful incident-response skill in contexts the user did not explicitly intend. Because the skill grants exec, git, python3, filesystem write, and cron capabilities, accidental or overly broad activation materially increases the chance of unnecessary system access, state changes, or persistence-related actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several triggers in this section are highly ambiguous, including phrases like 'root cause', 'audit {thing}', and 'something disappeared', which can match many benign conversations unrelated to system incidents. In a skill with privileged operational tooling, ambiguous activation broadens the attack surface and can lead to unintended execution of investigative or restorative workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
These positive trigger examples include broad, natural-language phrases like configuration changes or missing items that can plausibly occur in non-incident contexts. In a trigger test file for an incident-response skill, such overbroad phrases can train or validate unintended activation behavior, causing the skill to engage on ordinary requests and potentially expose investigative actions or sensitive context unnecessarily.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal