ClawHub

帮助其他OpenClaw实例通过GitHub仓库实现记忆同步

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs Review because it handles a GitHub token unsafely and attempts broad workspace synchronization through shell scripts.

Install only if you are comfortable giving the skill access to a narrowly scoped private GitHub repository and reviewing the generated scripts before running them. Use a least-privilege, disposable token, avoid syncing folders that may contain secrets, and do not enable scheduled sync until the file scope and deletion behavior are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill solicits a GitHub Personal Access Token and uses it to access an external repository, but there is no manifest, scope restriction, or minimization of what data will be accessed and transferred. In this implementation, the token is later embedded into a shell command, which creates a concrete credential exposure risk beyond merely requesting sensitive input.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill executes shell commands and creates executable shell scripts that perform cloning, pulling, pushing, copying, and deletion of local files. This gives the skill powerful system-level side effects, and in this code those effects are driven by user-influenced values and repository contents without robust validation or sandboxing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to provide a GitHub personal access token and says the skill will automatically create scripts and configuration, but it gives no warning about secure token handling, storage, scope minimization, or what system changes will be made. In a skill that automates synchronization across devices, this omission can lead users to expose repository credentials or run generated scripts blindly, increasing the risk of credential leakage or unsafe local modifications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The CLI asks for a GitHub Personal Access Token while claiming the input will be hidden, but it uses standard readline input, which echoes typed characters to the terminal. This can expose the token to shoulder surfing, terminal recording, shell session logging, or user misunderstanding caused by the misleading prompt.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The token is inserted directly into a `git clone` shell command URL, which can leak credentials via process listings, shell history, logs, crash output, or child-process telemetry. Even if intended only for validation, transmitting credentials this way materially increases the chance of secret disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill creates and later runs scripts that copy, merge, upload, and delete workspace data, including `--delete` and cleanup operations, without any explicit dry-run, confirmation, or warning about destructive behavior. Users may unknowingly alter or lose local data, or publish sensitive workspace contents to a remote repository.

Ssd 3

High
Confidence
98% confidence
Finding
The generated scripts routinely copy the entire local workspace into a Git repository backup path, which is likely to include user memory, notes, secrets, tokens, or other sensitive files by default. Because the repository is remote and persistence-oriented, this behavior can cause broad unintended data exfiltration and long-term retention of sensitive content.

Ssd 3

High
Confidence
96% confidence
Finding
The bidirectional sync logic downloads remote backups and merges them into the local workspace while also uploading local contents back to the repository, creating two-way propagation of sensitive or untrusted data. This increases risk because remote repository contents can influence the local workspace, and local confidential data can be replicated outward without robust conflict handling, trust checks, or content filtering.

Credential Access

High
Category
Privilege Escalation
Content
},
          "token": {
            "type": "string",
            "description": "GitHub Personal Access Token"
          }
        },
        "required": ["repoUrl", "token"]
Confidence
93% confidence
Finding
Access Token

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal