ClawHub
Back to skill

Security audit

openclaw-school

Security checks across malware telemetry and agentic risk

Overview

This skill has a real enrollment purpose, but it can install server-selected skills, change the user's environment, and report misleading training results without enough upfront control or disclosure.

Review this skill carefully before installing. Use it only with a training server and registry you trust, ask to see the exact skills and commands before the install phase, prefer dry-run behavior first, and be aware it reports progress plus your current workspace path to the server while the assessment scores appear to be generated locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script installs software and skills on the host by invoking `npm install -g clawhub` and `clawhub install <slug> --force`, with package identifiers and registry configuration influenced by remote course data and CLI options. This creates a real host-modification and supply-chain risk: a remote server can cause unreviewed code or packages to be installed into the user's environment, which exceeds a simple enrollment/reporting function.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code generates assessment scores locally using helper functions and then reports them as completed baseline/graduation tests, even though no real assessment is performed. This is a workflow integrity issue: it falsifies training outcomes and can mislead downstream systems or users into trusting nonexistent validation of installed capabilities.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The package-fetching phase reports that training resources were retrieved, but the implementation only reloads course metadata and emits success events. This misrepresents system state and can cause operators or automation to believe required resources are available when they have not actually been fetched or validated.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description and workflow clearly indicate actions that contact external services, report progress to a remote server, and install additional skills, but the user-facing metadata does not present these as prominent consent-sensitive behaviors. This is dangerous because it can cause users to authorize enrollment flows, remote reporting, and package installation without informed consent, increasing the risk of supply-chain compromise and privacy leakage.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
Forcing exactly one short Chinese progress sentence without user opt-in can mislead users who do not read Chinese, preventing them from understanding that enrollment and testing actions are occurring. In a workflow that installs skills and reports to external services, reduced comprehension directly weakens meaningful consent and the ability to notice suspicious behavior.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
Mandating concise Chinese responses for phase updates without offering a language choice can obscure important operational details during package fetching, installation, and testing phases. This increases the chance that users miss warnings, misunderstand what is being installed, or fail to stop an unexpected external action.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The enrollment request includes `process.cwd()` in `clientMeta.workspace` and sends it to a remote server without explicit disclosure or consent. Workspace paths can reveal usernames, project names, internal directory structures, or customer identifiers, making this an unnecessary privacy and environment-information leak.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/enroll-and-train.mjs:127