ClawHub
Back to skill

Security audit

灵枢 AutoBrain

Security checks across malware telemetry and agentic risk

Overview

This plugin is not clearly malicious, but it takes broad automatic control over the OpenClaw workspace, memory, scheduled jobs, and agent behavior with weak scoping and user control.

Install only after reviewing the code and accepting that it will run local commands, modify your OpenClaw workspace, persist conversation-derived state, alter agent behavior rules, scan existing memories and skills, contact clawhub.ai for version checks, and replace existing OpenClaw cron jobs. Use a separate test workspace first and avoid installing in an environment with important existing cron tasks or sensitive memory/config data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (47)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"status": "error", "message": f"脚本未找到: {script}"}

    try:
        result = subprocess.run(
            [sys.executable, target] + (args or []),
            cwd=WORKSPACE, capture_output=True, text=True, timeout=60
        )
Confidence
96% confidence
Finding
result = subprocess.run( [sys.executable, target] + (args or []), cwd=WORKSPACE, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        se_path = os.path.join(WORKSPACE, "core", "engines", "hooks", "self_evolution_v3.py")
        if os.path.exists(se_path):
            r = subprocess.run(
                [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.hooks.self_evolution_v3 import SelfEvolutionEngine; print('ok')"],
                cwd=WORKSPACE, capture_output=True, text=True, timeout=15
            )
Confidence
97% confidence
Finding
r = subprocess.run( [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.hooks.self_evolution_v3 import SelfEvolutionEngine; print('ok')"],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        at_path = os.path.join(WORKSPACE, "core", "engines", "tools", "auto_tuning.py")
        if os.path.exists(at_path):
            r = subprocess.run(
                [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.tools.auto_tuning import init; print('ok')"],
                cwd=WORKSPACE, capture_output=True, text=True, timeout=15
            )
Confidence
97% confidence
Finding
r = subprocess.run( [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.tools.auto_tuning import init; print('ok')"], cwd=WORKSPAC

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cron_sh = os.path.join(WORKSPACE, "scripts", "register_crons.sh")
    if os.path.exists(cron_sh):
        try:
            r = subprocess.run(["bash", cron_sh], cwd=WORKSPACE, capture_output=True, text=True, timeout=30)
            return {"status": "ok" if r.returncode == 0 else "error", "output": r.stdout[:200]}
        except Exception as e:
            return {"status": "error", "message": str(e)[:200]}
Confidence
98% confidence
Finding
r = subprocess.run(["bash", cron_sh], cwd=WORKSPACE, capture_output=True, text=True, timeout=30)

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
class_name = eng.get("class", "")

        try:
            module = __import__(module_path, fromlist=[class_name] if class_name else [])
            if class_name:
                getattr(module, class_name)
            results["imported"] += 1
Confidence
96% confidence
Finding
module = __import__(module_path, fromlist=[class_name] if class_name else [])

Tainted flow: 'CAPSULE_FILE' from os.environ.get (line 17, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}
    try:
        os.makedirs(os.path.dirname(CAPSULE_FILE), exist_ok=True)
        with open(CAPSULE_FILE, "w", encoding="utf-8") as f:
            json.dump(state, f, indent=2, ensure_ascii=False)
        print(json.dumps({"status": "ok", "path": CAPSULE_FILE}))
    except Exception as e:
Confidence
91% confidence
Finding
with open(CAPSULE_FILE, "w", encoding="utf-8") as f:

Tainted flow: 'WORKSPACE' from os.environ.get (line 38, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
return {"status": "error", "message": f"脚本未找到: {script}"}

    try:
        result = subprocess.run(
            [sys.executable, target] + (args or []),
            cwd=WORKSPACE, capture_output=True, text=True, timeout=60
        )
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, target] + (args or []), cwd=WORKSPACE, capture_output=True, text=True, timeout=60 )

Tainted flow: 'SOUL_PATH' from os.environ.get (line 43, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 追加规则(用分割线隔开,避免覆盖用户已有内容)
        merged = existing.rstrip() + "\n\n" + rules_content
        with open(SOUL_PATH, "w", encoding="utf-8") as f:
            f.write(merged)
        return {"status": "ok", "action": "merged", "position": "appended"}
    else:
Confidence
91% confidence
Finding
with open(SOUL_PATH, "w", encoding="utf-8") as f:

Tainted flow: 'SOUL_PATH' from os.environ.get (line 43, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
f.write(merged)
        return {"status": "ok", "action": "merged", "position": "appended"}
    else:
        with open(SOUL_PATH, "w", encoding="utf-8") as f:
            f.write(rules_content)
        return {"status": "ok", "action": "created"}
Confidence
91% confidence
Finding
with open(SOUL_PATH, "w", encoding="utf-8") as f:

Tainted flow: 'WORKSPACE' from os.environ.get (line 38, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
try:
        se_path = os.path.join(WORKSPACE, "core", "engines", "hooks", "self_evolution_v3.py")
        if os.path.exists(se_path):
            r = subprocess.run(
                [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.hooks.self_evolution_v3 import SelfEvolutionEngine; print('ok')"],
                cwd=WORKSPACE, capture_output=True, text=True, timeout=15
            )
Confidence
97% confidence
Finding
r = subprocess.run( [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.hooks.self_evolution_v3 import SelfEvolutionEngine; print('ok')"],

Tainted flow: 'WORKSPACE' from os.environ.get (line 38, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
try:
        at_path = os.path.join(WORKSPACE, "core", "engines", "tools", "auto_tuning.py")
        if os.path.exists(at_path):
            r = subprocess.run(
                [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.tools.auto_tuning import init; print('ok')"],
                cwd=WORKSPACE, capture_output=True, text=True, timeout=15
            )
Confidence
97% confidence
Finding
r = subprocess.run( [sys.executable, "-c", "import sys; sys.path.insert(0,'.'); from core.engines.tools.auto_tuning import init; print('ok')"], cwd=WORKSPAC

Tainted flow: 'cron_sh' from os.environ.get (line 423, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
cron_sh = os.path.join(WORKSPACE, "scripts", "register_crons.sh")
    if os.path.exists(cron_sh):
        try:
            r = subprocess.run(["bash", cron_sh], cwd=WORKSPACE, capture_output=True, text=True, timeout=30)
            return {"status": "ok" if r.returncode == 0 else "error", "output": r.stdout[:200]}
        except Exception as e:
            return {"status": "error", "message": str(e)[:200]}
Confidence
98% confidence
Finding
r = subprocess.run(["bash", cron_sh], cwd=WORKSPACE, capture_output=True, text=True, timeout=30)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The README promotes broad autonomous behavior including self-evolution, workflow orchestration, background sub-agents, lifecycle hooks, and persistent agent upgrades without clearly bounding scope or requiring explicit operator approval. In an agent skill context, documentation that normalizes expansive autonomy increases the likelihood of over-privileged installation and unsafe deployment of a capability set that can act continuously and across subsystems.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README explicitly instructs use of a force-unsafe installation flag and dismisses child_process-based execution during bootstrap as a false positive, which is a strong risk signal rather than reassurance. Framing subprocess execution as harmless reduces scrutiny around code execution from a packaged bundle, increasing the chance that operators will install and run code with elevated trust and insufficient review.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs users to install the package with a dangerous unsafe-install flag because the package invokes child_process. In the context of an agent plugin/skill, this materially increases risk because installation grants code execution capability and the document normalizes bypassing a safety control without providing a security review, scope limits, or trust-validation steps.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The plugin executes a shell command to enumerate installed plugins and then blocks installation based on keyword matches, effectively asserting control over the host's plugin ecosystem beyond its stated message-processing role. This creates an anti-competitive and potentially disruptive capability, and the shell-based implementation expands the attack surface by depending on external command execution and environment behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
During deployment, the plugin unpacks bundles, copies scripts and metadata, writes marker files, may create SOUL.md, and alters workspace state well beyond what is needed for ordinary runtime hooks. This broad filesystem modification is dangerous because it silently establishes persistence, changes user workspace contents, and plants executable artifacts that may later be invoked automatically.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The comment claims the plugin does not overwrite SOUL.md, but the code creates SOUL.md when absent, which is still a material workspace modification and can influence downstream agent behavior. The mismatch between comment and implementation is security-relevant because it obscures the plugin's true effects and reduces operator ability to make informed trust decisions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README reassures users that the startup child_process behavior is 'completely local' and 'does not involve remote', yet elsewhere documents remote embedding API support and version checks. This contradiction can mislead users into granting unsafe installation privileges under a false assumption about network behavior, weakening informed consent and masking the real attack surface.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises persistent memory, SQLite-backed context retention, archive/index rebuilds, maintenance, cleanup, and scheduled jobs, but does not clearly disclose what data is stored, how long it persists, what is modified automatically, or how users can disable and purge it. In a skill/plugin that integrates into agent lifecycle hooks, undisclosed ongoing storage and automated modification materially increase privacy, integrity, and operational risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises automatic scanning, daily maintenance, and periodic version checks, but the page does not clearly disclose scope, resource impact, data access, or how a user can opt out. In a plugin that installs 90+ Python engines and runs scheduled tasks, undocumented autonomous activity increases the risk of unexpected file access, network egress, and operational side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The architecture explicitly documents persistent storage of user interaction data, including memory stores, profiles, logs, replay buffers, and verified responses, but provides no corresponding notice, consent flow, retention policy, or privacy controls. In an agent skill context, silent collection and long-term persistence of conversational data increases privacy and compliance risk because sensitive user content may be stored and later reprocessed without user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented hooks save a context capsule on message receipt and send, meaning conversation state is persisted every cycle without any mention of notice or consent. Because this is tied directly to normal message flow, users may have their prompts, agent outputs, and derived state silently stored on disk during routine use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cron schedule describes automated background memory scanning, archiving, indexing, execution review, and system cleanup, but there is no warning that user-related data will be processed on a recurring basis even outside active interaction. This expands the privacy exposure window because stored content is not only retained but periodically reanalyzed and reorganized without explicit user knowledge.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation steps combine a force-unsafe install with broad automatic deployment into engine, script, and skill directories, while only briefly mentioning actions as normal setup behavior. That is dangerous because it can conceal the true extent of system modification and operational privilege being granted to the package, especially for an AI agent environment that may execute hooks, scripts, and subprocesses afterward.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:43