ClawHub

OpenClaw Task Experience Summaries

Security checks across malware telemetry and agentic risk

Overview

This is a troubleshooting note skill with command and API-key examples, but it does not run code or hide behavior.

Safe to install as a reference skill. Before following examples, verify package names, avoid force or publish commands unless you intend their effects, and do not save real API keys, tokens, or copied terminal output containing secrets into the skill file or shared documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broadly scoped to installation issues, unknown errors, package guidance, and documenting experiences, which can cause the agent to invoke it for many ordinary requests beyond a narrowly defined use case. Over-broad activation increases the chance of irrelevant or unsafe guidance being surfaced automatically, especially when the skill includes package installation, configuration, and operational commands that may be applied without sufficient context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to set and verify environment variables containing API keys and tokens, but does not warn against exposing secrets in shell history, screenshots, logs, shared configs, or documentation. In a troubleshooting/documentation skill, this is risky because users may copy credentials into persistent files or output them to the terminal while debugging, leading to accidental credential disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal