ClawHub

clawbba-api

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ClawBBA integration, but it needs Review because installation can rewrite OpenClaw/Codex runtime files, alter global versions, restart processes, and persist credentials.

Install only if you are comfortable letting this skill patch OpenClaw runtime bundles, change OpenClaw/Codex configuration, persist the ClawBBA API key locally, and restart or terminate related processes. Review the installer and patch scripts first, use a test OpenClaw host where possible, keep backups, and avoid installing on shared or sensitive machines unless these runtime modifications are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (49)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README frames this as an API integration, but the documented install behavior also patches core OpenClaw files, modifies runtime behavior, and writes compatibility state into the local skill directory. That is a significant expansion of capability beyond simple provider configuration, increasing supply-chain and integrity risk because users may grant broad trust to what appears to be a narrow connector.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation says setup repoints provider configuration for image and video tools, but the changelog shows the skill also alters delivery logic, transcript injection, recover flows, and gateway behavior. This mismatch undermines informed consent and makes the package materially more dangerous because users expecting an API bridge may unknowingly install a runtime-modifying patch set.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The installer can prompt for or automatically perform a global `npm i -g openclaw@...` to align versions, including downgrades. Allowing a third-party skill installer to change the host application's global version materially affects system integrity and can introduce unexpected regressions, especially when default choices favor modification.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The one-line install fetches a remote script and executes it immediately via `bash`, giving the remote server full code execution on the user's machine at install time. This is especially dangerous here because the package already claims broad patching and restart behavior, so compromise of the distribution endpoint or script contents would directly yield arbitrary command execution and persistent host modification.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The opening description presents a straightforward OpenAI-compatible endpoint integration, but the rest of the README describes extensive patching of runtime, media delivery, session handling, and transcript injection. This discrepancy is dangerous because it reduces transparency and can cause users to authorize invasive changes under a much narrower trust assumption.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents the skill as API/model access, but the body documents runtime patching and rewriting of local agent configuration files. In context, this broadens the trust boundary from normal API use to local system modification, which materially increases risk if the skill is outdated, compromised, or misused.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The statement that the skill 'only' handles account guidance and automatic configuration is contradicted by later instructions covering runtime patching and delivery-behavior changes. This kind of minimizing language can mislead users about the true scope of installation and reduce scrutiny of security-sensitive actions.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The setup guide claims a narrow API/config integration role, but explicitly documents a runtime patch to OpenClaw internals. That mismatch increases supply-chain and maintenance risk because users are asked to modify application code paths outside the stated trust boundary, making review and safe operation harder.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documented installation path requires shell execution and patch scripts even though the skill is described as an API/model access layer. This expands the attack surface unnecessarily: arbitrary local script execution can alter the host, exfiltrate secrets, or persist changes beyond simple configuration.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation instructs users to fix OpenClaw configuration schema and apply patch scripts that modify internals, which exceeds a normal API-routing skill. Changes to core config validation and runtime behavior can weaken platform safeguards and create hard-to-audit behavior for future updates.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer persists the provided API key by appending it to shell startup files such as `.zshrc`, `.bashrc`, or `.profile`. This broadens the blast radius of the secret beyond the app-specific config, exposes it to other local processes or accidental disclosure through dotfile syncing/sharing, and does so automatically without scoped consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer forcefully terminates `Codex` processes using `pkill`, which is an operational control action outside a narrow API integration setup. Even if intended to avoid stale state, it can interrupt user work, terminate unrelated sessions, and surprises users because it happens automatically.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script deletes `~/.codex/auth.json` when it detects ChatGPT auth mode and also moves the sandbox cache directory under `~/.codex`. This modifies authentication state and local runtime state beyond simple API configuration, potentially logging users out, disrupting existing setups, and removing safeguards without explicit approval.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file contains code that patches generated OpenClaw tool bundles on disk and changes delivery behavior, session-key handling, transcript mirroring, and user-facing recovery flows. That is a privileged code-modification capability well beyond simple API routing; if invoked in an unintended context, it can silently alter runtime logic and message delivery destinations, creating integrity and confidentiality risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads and rewrites tool source files on disk (`fs.readFileSync`/`fs.writeFileSync`) to modify runtime imports and behavior. Arbitrary or loosely constrained on-disk patching increases the attack surface substantially because compromised inputs, paths, or upgrade flows could persistently alter application behavior and bypass normal deployment/review controls.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
This code mirrors session transcript content and injects recovery notices into WebChat sessions, including cross-channel recovery logic and broadcast/reload behavior. That expands the skill from message delivery into conversation-state manipulation, which can expose or duplicate user content across channels/sessions if origin resolution or session-key mapping is wrong.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script injects substantial behavior beyond a simple API integration: it resolves credentials, polls remote endpoints, downloads media, and dispatches content into chat channels. That expansion increases the skill's privilege and data-handling scope, creating unexpected network, credential, and message-delivery side effects that a user or reviewer may not anticipate from the stated skill description.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file rewrites other source files on disk to inject new execution paths and delivery logic, which is a powerful self-modifying capability. In an agent skill context, this can silently alter trusted tool behavior, persist unauthorized functionality, and make later security review much harder because the runtime code no longer matches the originally reviewed source.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code reads, rewrites, and persists changes into built distribution/tool files in place, altering application behavior beyond the advertised role of an API connector. Silent self-patching of local runtime artifacts is dangerous because it creates a supply-chain-style persistence point, can bypass normal review/deployment controls, and may inject behavior into unrelated sessions or tools without clear operator awareness.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code directly appends assistant messages into session transcripts and emits synthetic chat/session events, effectively forging conversation state outside the normal message-generation path. That is dangerous because it can misrepresent model output, inject content into user-visible history, and blur trust boundaries between genuine assistant responses and tool-authored messages.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script modifies the local OpenClaw configuration and synchronizes multiple agent models.json files, expanding its behavior beyond a narrowly described API/messaging integration. In an installer or setup context, silently rewriting local agent defaults and related files can alter user workflows, redirect model usage, and create persistence the user may not expect, which is a real security and trust boundary issue even if no direct code execution occurs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script goes beyond passive version checking and can execute another local script to generate a manifest, then perform package-management actions that modify the host. That behavior exceeds the stated API/chat integration purpose and increases the attack surface, especially during installation where users may not expect host-level changes.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script constructs an npm command from manifest-derived data and executes it with execSync to globally install or downgrade software on the host. In non-interactive setups it also encourages automatic alignment via environment variable, making unexpected host modification more likely during install pipelines.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script actively rewrites OpenClaw distribution bundles on disk using fs.writeFileSync after discovering install locations, which is a privileged self-modifying behavior unrelated to a narrow 'API access' capability. Even if intended as a compatibility repair, silently patching third-party runtime files increases supply-chain risk, can break integrity expectations, and creates an avenue for unauthorized code modification if triggered in broader environments.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script scans for OpenClaw distribution paths, selects bundle files, and modifies them locally without strong scoping or user approval. In the context of a skill described as an API integration, this expands capability into local filesystem discovery and third-party code mutation, which is dangerous because it can alter unrelated installations, bypass normal update channels, and undermine package trust boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal