ClawHub

GoList

Security checks across malware telemetry and agentic risk

Overview

GoList is a coherent shopping-list integration with disclosed API use, local state, and sharing behavior, though users should treat share links and the local state file as private.

Install only if you are comfortable sending shopping-list data to go-list.app. Keep share URLs and tokens private, and remove or isolate ~/.openclaw_golist_state.json on shared machines or when you want to reset the saved device and list context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that the skill generates and persists a device UUID and stores known list names/IDs locally, but it does not warn users that local identifiers and list metadata will be retained. This can create privacy and tracking risk on shared or managed systems because sensitive shopping/list associations may remain on disk beyond the current session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly requires automatically generating a share token and sending the share URL to the user immediately after list creation, without confirming intent or warning that possession of the token enables access to the shared list. Because share tokens are effectively access grants, automatic disclosure increases the chance of unintended sharing, leakage through chat logs, or exposing a private shopping list to the wrong recipient.

Session Persistence

Medium
Category
Rogue Agent
Content
## Purpose
Enable OpenClaw to manage GoList through a simple, beginner-friendly CLI wrapper around the backend API.

GoList is a simplistic app for creating and sharing grocery / shopping lists. This skill is designed to make first-time usage feel fast and approachable: create a list, add items, share with others, and switch between saved lists with minimal setup.

This skill supports:
- creating new lists,
Confidence
84% confidence
Finding
create a list, add items, share with others, and switch between saved lists with minimal setup. This skill supports: - creating new lists, - joining shared lists via share token, - saving known lists

Session Persistence

Medium
Category
Rogue Agent
Content
## Purpose
Enable OpenClaw to manage GoList through a simple, beginner-friendly CLI wrapper around the backend API.

GoList is a simplistic app for creating and sharing grocery / shopping lists. This skill is designed to make first-time usage feel fast and approachable: create a list, add items, share with others, and switch between saved lists with minimal setup.

This skill supports:
- creating new lists,
Confidence
84% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal