ClawHub

claw-code

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed CLI-style TypeScript harness simulator, and the sensitive-sounding behaviors flagged by scanners are implemented as no-op stubs rather than real credential, MDM, filesystem, or network access.

Install only if you want a CLI harness/registry simulator for OpenClaw or Claude Code-like internals. Be aware that command names include sensitive concepts such as keychain, MDM, SSH, shell, and file tools, but this version appears to use static placeholders rather than performing those operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file presents itself as generic workspace setup, but runSetup immediately launches sensitive side effects including MDM raw reads and keychain prefetching. Triggering credential- or device-management-related collection during setup increases the risk of undisclosed sensitive data access and violates the principle of least surprise, especially because these actions occur before any explicit consent or clear trust validation is visible in this file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The flush-transcript command persists user-supplied session content to disk immediately and only reports the path afterward, with no warning, confirmation, or indication of sensitivity handling. In an agent skill context, transcripts may contain prompts, secrets, tokens, internal paths, or operational context, so silent persistence increases the risk of unintended data retention and later disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The runtime persists a session to disk after submitting the prompt and records rich session data including the prompt, execution metadata, routing history, and turn results. Because prompts may contain sensitive user data and there is no indication here of consent, minimization, redaction, encryption, or retention controls, this creates a real privacy and data exposure risk if local files are accessed by other users, processes, or later telemetry workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
startKeychainPrefetch() is invoked directly in the setup path with no visible warning, consent flow, or justification in this file. Accessing or prefetching keychain-related data is highly sensitive because it may expose credentials, tokens, or secret metadata, and doing so automatically in a setup routine makes the behavior more dangerous in this skill context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
startMdmRawRead() is started automatically during setup without visible disclosure or user awareness in this file. Raw MDM data can contain sensitive device-management, inventory, policy, or enterprise configuration information, so silently collecting it during initialization creates unnecessary exposure and weakens transparency and trust boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal