ClawHub

OpenClaw Flow Kit

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed workflow helper, but one command can automatically repost or like MoltX content from the user’s configured account without a confirmation step.

Review before installing or running. Do not run the MoltX minimal mode unless you are comfortable with it automatically liking or reposting a feed item from whichever account the local MoltX client is configured to use. Use the command envelope only with trusted commands, and verify release publish arguments before invoking the external CLI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes shell execution, file read, and file write capabilities in its documented commands, but it does not declare any permissions or constraints for those actions. This creates a transparency and safety gap: a caller may invoke commands that execute arbitrary shell processes or modify workspace files without an explicit trust boundary, which increases the chance of misuse, accidental damage, or unsafe chaining with untrusted inputs.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module documentation explicitly says the script 'does NOT post anything', but the implementation performs POST requests to like or repost content. This is dangerous because users or higher-level automation may rely on the documented safety property and unknowingly trigger externally visible account actions, creating a trust boundary violation and enabling unintended engagement under the user's credentials.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script intentionally executes arbitrary local commands and returns their full output in JSON, which creates a broad command-execution capability. Even if intended as a helper, this becomes dangerous when exposed through an agent skill because downstream prompts, workflows, or untrusted inputs could use it as a generic execution primitive far beyond a narrow 'result envelope' role.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically performs like or repost actions against posts returned from feeds, with no interactive warning, confirmation, or explicit opt-in beyond selecting a mode that defaults to 'minimal'. In the context of an agent skill intended to unblock workflows, this is more dangerous because it may be invoked non-interactively in automation pipelines, causing unintended public actions from a user's account and potential policy, reputation, or account-abuse consequences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal