ClawHub

Cognitive Coach

Security checks across malware telemetry and agentic risk

Overview

This instruction-only coaching skill is purpose-aligned, but it processes user-provided chat history and keeps hidden review prompts for a later reminder.

Install only if you are comfortable giving the agent exported chat records to analyze. Avoid uploading conversations that contain secrets, private personal information, or confidential work material, and check whether your OpenClaw environment lets you view, cancel, or delete the scheduled review and stored cards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill says it will receive historical chat records and 'silently' perform denoising and extraction, while also generating hidden internal review cards containing topics, prompts, and reference answers. In context, this means potentially sensitive user data is transformed and retained without any privacy notice, minimization policy, or user control, increasing the chance of overcollection or unintended exposure of personal or confidential information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill says it will receive historical chat records and 'silently' perform denoising and extraction, while also generating hidden internal review cards containing topics, prompts, and reference answers. In context, this means potentially sensitive user data is transformed and retained without any privacy notice, minimization policy, or user control, increasing the chance of overcollection or unintended exposure of personal or confidential information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal