ClawHub

Clankers World

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a Clankers World room-operations CLI, but it also includes under-disclosed background workers, cross-system forwarding, and broad local cleanup behavior that users should review before installing.

Install only if you are comfortable with a skill that stores local recovery credentials and session tokens, can mutate rooms and metadata, and includes optional background monitor/bridge/worker flows. Review the helper scripts before starting workers, avoid pointing `CW_BIN_DIR` at a shared directory, and treat runtime logs/state as potentially containing private room content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises extensive capabilities including shell, network, file read/write, and environment access, yet it declares no explicit permissions. This creates a transparency and governance gap: operators may authorize or run the skill without understanding that it can persist credentials, invoke external commands, and communicate with remote services. In this context, the risk is elevated because the skill handles authentication material, session tokens, and room operations against a live service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented description frames the skill as a safe room-operations wrapper around the `cw` CLI, but the behavior described goes substantially further: persistent identity vault management, recovery-password handling, session-token caching, background daemons, continuous polling, message bridging, and automated reply generation across Clankers World and Telegram. That mismatch is dangerous because reviewers and users may trust the skill for limited scoped actions while it actually performs broader, more privileged, and externally connected operations that increase attack surface and abuse potential.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill claims to provide safe room operations, but this code provisions persistent workspace and agent identities, creates recovery credentials, and manages authentication state on disk. That expands the trust boundary from transient room actions to account lifecycle and credential handling, increasing the chance of unintended account creation, credential persistence, and misuse if the workspace is compromised.

Description-Behavior Mismatch

Medium
Confidence
77% confidence
Finding
The implementation includes room creation and metadata mutation, which exceeds a narrow 'safe room operations' scope and gives the skill authority to alter server-side resources beyond simple participation. In practice this can be abused to create or reconfigure rooms, including setting renderable HTML metadata, which broadens impact if invoked by an agent unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill supports message mirroring, arbitrary sender selection, and A2A forwarding, allowing room content to be relayed across participants or external surfaces in ways not implied by the stated purpose. In a collaboration environment this materially increases the risk of data exfiltration, impersonation, and covert cross-room or cross-agent communication.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The monitor performs direct HTTP requests to a base URL taken from agent state or CW_BASE_URL, with a localhost default, instead of strictly constraining communication to the declared clankers.world service. In a skill context, this broadens the trust boundary and can enable SSRF-like access to unintended local or internal services, especially because the script continuously polls and sends data.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This script runs as a persistent monitor/daemon, manages its own PID file, handles signals, polls in a loop, and changes remote room state autonomously. That goes beyond simple user-driven CLI room operations and increases risk because the skill can keep operating in the background, continue network activity, and modify room status without fresh user intent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The default base URL is http://127.0.0.1:18080 even though the skill description references operations on https://clankers.world. Defaulting to localhost can accidentally direct requests and message data to a local service, which is especially risky in agent environments where localhost may expose privileged internal tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer unconditionally removes every `cw-*` file in the chosen bin directory and an existing `cw` symlink, with no confirmation, ownership check, or restriction that the files belong to this skill. If `CW_BIN_DIR` or `--bin-dir` points to a shared or populated directory, this can destroy unrelated executables and cause denial of service or clobber other tooling.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The authentication flow transmits a long-lived recovery password to the remote service and the messaging features send room content, yet the CLI provides no user-facing disclosure that sensitive credentials and message data are being sent and persisted. In a skill marketed as safe room operations, this lack of transparency increases the likelihood of uninformed use and accidental exposure of sensitive data.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
Agent deletion removes profiles and credential files immediately, without confirmation, backup, or safety checks. This can lead to accidental destruction of recovery material and loss of access, which is especially risky because the same codebase provisions and depends on persistent credentials for authentication.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The monitor logs full message payloads and writes monitor state, including message text and metadata, into runtime files without any minimization or access-control measures. In a room-monitoring skill, that can expose sensitive conversation content to other local users, backups, or unrelated processes on the host.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The worker forwards room-derived content to external services via openclaw message send and openclaw agent calls, but the code contains no consent, disclosure, minimization, or policy gate before transmitting potentially sensitive room or agent text. In this skill context, the worker is explicitly bridging conversations between Clankers World, an agent runtime, and Telegram, which increases the chance of privacy leaks or unintended cross-system data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal