ClawHub

Sequoia-X

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but installation runs mutable external code and includes an unwarned database deletion step, so it should be reviewed before use.

Install only if you trust the live Sequoia-X GitHub project. Prefer pinning or reviewing a specific commit before running, use an isolated Python environment, keep the Feishu webhook private, and back up ~/sequoia-x/data/sequoia_v2.db before using the documented reset command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs users to run installation and execution scripts and to provide a Feishu webhook, which implies environment and network access, yet no permissions are declared. This creates a transparency and consent problem: an agent or user may invoke a skill with broader capabilities than expected, increasing the risk of unintended outbound network activity or access to local configuration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented troubleshooting flow includes deleting the SQLite database to force a full resync, but it does so without a prominent warning that this permanently destroys local data. Users or agents following the instructions may erase historical data unintentionally, which is especially risky in a financial analysis workflow where local datasets may be valuable.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
sqlite3 ~/sequoia-x/data/sequoia_v2.db ".tables"

# 强制全量重新同步
rm ~/sequoia-x/data/sequoia_v2.db
SKILL_DIR=$(find ~/.openclaw/skills -name "run.sh" -path "*/sequoia-x/*" -exec dirname {} \; | head -1)
bash "${SKILL_DIR}/scripts/run.sh"
```
Confidence
93% confidence
Finding
rm ~/sequoia-x/data/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal