ClawHub

Agent Safety

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local safety-scanning skill with a Git hook and health-check script; it has workflow and privacy considerations but no artifact-backed malicious behavior.

Install this only if you want local shell-based scanning and a repository pre-commit hook that can block commits. Run scans only on files or repos you intend to publish, check whether an existing pre-commit hook would be overwritten, and treat health-check output as local security/workspace information that should not be shared casually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell scripts but does not declare any permissions, which creates a transparency and trust problem for users and any policy engine relying on declared capabilities. In a security-sensitive skill, hidden or undeclared shell execution increases the risk of unexpected filesystem, git, and system-inspection actions being run without adequate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is outbound publication safety, but the skill also advertises broader host inspection and system health monitoring, including workspace inspection, update queries, and security posture checks. That mismatch is dangerous because users may grant trust for a narrow scanning task while the skill performs materially broader reconnaissance on the local machine, increasing privacy exposure and expanding the attack surface.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This section performs functionality outside the skill’s declared purpose by checking the current AI model and querying npm for the latest OpenClaw version. The npm lookup introduces outbound network activity and environmental discovery in a script presented as a local health check for an outbound-safety skill, which expands trust and data-exposure boundaries beyond what users would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This block inventories OS patch status, firewall state, and SIP status, which exceeds the manifest’s stated role of scanning agent output and blocking unsafe git commits. Even though the checks are local, they collect sensitive host-security posture information that could later be exposed through logs, agent output, or misuse in a broader workflow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The command `npm view openclaw version` performs a network-based registry lookup that is not necessary for the skill’s advertised git-level secret scanning and outbound safety purpose. Unexpected network access from a security-related helper script is dangerous because it can disclose metadata about the environment and violates least-privilege and user-expectation boundaries.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The network version check lacks any user-facing notice that running the health check will contact an external service. While the data sent may be limited, undisclosed outbound connections from a tool marketed around safety can erode trust and create privacy or policy-compliance issues in restricted environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal