ClawHub

ClawNet

Security checks across malware telemetry and agentic risk

Overview

ClawNet is not clearly malicious, but it exposes broad peer-to-peer networking, IP-range scanning, and identity-announcement features that deserve careful review before installation.

Install only if you intentionally want an internet-facing P2P bot discovery and messaging tool. Avoid running daemon or scan commands on sensitive networks, do not scan third-party ranges without authorization, use only trusted HTTPS beacon registries, and avoid putting sensitive information in bot names, capabilities, metadata, or messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is narrowly framed as bot discovery, but the skill exposes substantially broader capabilities: direct peer connections, messaging, chat, daemonized inbound handling, persistence, and other network behaviors. This mismatch is security-relevant because operators or orchestrators may grant, install, or auto-run the tool expecting passive discovery while it can also open communication channels and maintain long-lived network presence, increasing attack surface and enabling data movement.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The CLI exposes active IP-range scanning over arbitrary CIDR ranges with configurable concurrency, which materially increases dual-use and reconnaissance capability beyond passive peer discovery. In an agent skill advertised as bot discovery, this makes misuse easier for unauthorized network enumeration and could be abused to probe internal or third-party networks at scale.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The scanner performs more than passive discovery: it automatically persists every discovered peer into the local peer store. This creates a side effect that can silently change the agent's trust or connectivity state based on unauthenticated network responses, which is risky for a function presented as a scan/discovery operation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes global peer discovery, NAT traversal, and direct peer connectivity but does not warn users that running the tool exposes their bot identity and network presence to untrusted internet peers. In a P2P discovery skill, that omission can lead operators to unknowingly announce themselves publicly, accept unsolicited traffic, or interact with hostile peers, increasing privacy and attack-surface risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The usage examples encourage users to announce, send messages, run a daemon, and chat with peers without any adjacent warning that these actions initiate network communication with arbitrary, potentially malicious remote nodes. Because this skill is specifically for bot discovery and direct messaging over the public internet, the lack of cautionary guidance makes accidental unsafe deployment more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documentation encourages internet peer discovery, broadcasting, direct messaging, and continuous daemon execution without clear warnings that it transmits data over external networks and may expose the agent to unsolicited inbound traffic. In an agent ecosystem, missing warnings can lead to unsafe deployment in sensitive environments where operators do not realize they are enabling persistent external communications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The register command sends a stable bot identifier, bot name, and capability set to a user-supplied beacon endpoint immediately over HTTP(S) without any explicit warning, confirmation, or trust validation. In a P2P bot discovery skill, this can expose identifying metadata to an unintended or malicious registry, especially if a plaintext HTTP URL or untrusted endpoint is used, enabling tracking, enumeration, or collection of agent network details.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The daemon periodically broadcasts a BotAnnouncement containing name, capabilities, openclaw_version, mode, metadata, node_id, and TTL to all peers on the gossip network, but this file provides no consent gate, minimization, or warning before exposing that information. In a P2P bot-discovery skill, this can leak operational details and fingerprint nodes for tracking, targeting, or profiling, especially because arbitrary metadata is included and later stored from remote announcements.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The listener replies to any valid UDP probe with node metadata including node_id, name, version, capabilities, and quic_port, with no authentication, access control, rate limiting, or user-visible opt-in. This enables unauthenticated network enumeration and fingerprinting of agents, which can help attackers identify targets, map deployments, and select version- or capability-specific follow-on attacks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatically writing discovered peers to persistent state without any user-facing warning or confirmation can let untrusted network responses influence future agent behavior. In a P2P bot-discovery context this is more dangerous, because arbitrary hosts on the scanned network may be enrolled into the peer set, enabling peer-store pollution and unintended follow-on communication.

Exfiltration Commands

High
Category
Prompt Injection
Content
| `peers` | List cached peers |
| `announce` | Broadcast presence to the network |
| `connect` | Direct QUIC connection to a peer |
| `send` | Send message to a peer |
| `friend add` | Add a friend by node ID |
| `friend remove` | Remove a friend |
| `friend list` | List all friends |
Confidence
87% confidence
Finding
Send message to

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal