ClawHub
Back to skill

Security audit

clawsec-feed

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-advisory feed skill with normal feed-fetching and local state behavior, plus manageable scoping and install-verification caveats.

Install this if you want an agent-security advisory feed. Prefer the signed, pinned verification workflow over the one-line latest-release curl command, and do not assume the feed is limited only to OpenClaw advisories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file is described as an OpenClaw-related advisory feed, but it includes advisories for unrelated products such as Hermes, PicoClaw, and NanoClaw. Consumers that trust this feed for scoped automation may ingest, prioritize, suppress, or trigger responses for out-of-scope products, creating policy confusion and potentially causing incorrect security decisions or alert fatigue.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very broad phrases such as 'security advisories', 'security alerts', 'security news', and 'check advisories', which are likely to match ordinary user conversations and cause this skill to activate outside narrowly intended contexts. In a security-themed skill, overbroad activation is especially risky because it can steer unrelated discussions toward external feed retrieval or security workflow behavior the user did not explicitly request.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
advisories/feed.json:21364