ClawHub

clawsec-scanner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real vulnerability scanner, but its hook and DAST features can automatically run scanned hook code with broad local environment access.

Install only if you intend to run a powerful local security scanner. Avoid DAST scans or continuous monitoring when scanning untrusted skills unless the environment is scrubbed of secrets, and review the hook setup because it persists and enables automatic scanning.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This setup script does more than a passive scanner installer: it copies a hook into the user's persistent OpenClaw hooks directory and enables it automatically. In an agent platform, a persistent hook changes future runtime behavior and can execute repeatedly, so auto-installing and activating it without an explicit consent step increases security risk even if the intended purpose is vulnerability scanning.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script dynamically imports and executes a handler path supplied via the `--handler` argument, then invokes an exported function with attacker-controlled event/context data. In a DAST tool this behavior is intentional, but it still creates an arbitrary code execution primitive if untrusted users can influence the handler path or the scanned project contents, especially because the file is executed with the scanner's privileges.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runner spawns a child Node.js process to execute discovered hook handlers and passes through the entire parent environment via `...process.env`. Because the target hooks are untrusted code under test, they can read inherited secrets such as API keys, cloud credentials, tokens, proxy settings, or CI secrets from environment variables and exfiltrate them during execution. In a scanner that intentionally executes third-party hook code, this is materially dangerous rather than a theoretical issue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script unconditionally deletes the target hook directory with fs.rmSync(..., force: true) and replaces it, with no warning, backup, or confirmation. If a user already has a customized or trusted hook at that path, this causes silent destructive overwrite and could erase local modifications or swap in different code that will later run inside the agent platform.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script enables the hook immediately via a subprocess call to openclaw hooks enable, without a prior user-facing warning or separate approval step. In this skill context, enabling a hook is more sensitive than ordinary setup because it activates persistent behavior inside the OpenClaw environment and can affect subsequent sessions automatically.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad phrases such as 'security scan', 'run scanner', 'check vulnerabilities', and 'security check' that are likely to match ordinary user requests beyond the intended narrow use case. In an agent platform, this can cause unintended auto-invocation of a high-privilege security tool, increasing the chance of unnecessary code inspection, subprocess execution, network lookups, or interference with other workflows.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal