ClawHub

Skill Vexa

Security checks across malware telemetry and agentic risk

Overview

This meeting-bot skill is mostly purpose-aligned, but it ships API-key files and sets up broad webhook-driven agent actions that need review before use.

Do not install or run this package as-is unless you first remove the bundled secrets directory, rotate any exposed Vexa keys, and configure your own VEXA_API_KEY. Review any webhook setup carefully, use an authenticated public hook endpoint, avoid pasting secrets into chat when possible, and confirm what meeting transcripts, recordings, reports, and memory files the skill may create or modify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The onboarding flow expands beyond configuring the Vexa skill itself and instructs the assistant to modify broader OpenClaw webhook and report-pipeline configuration. This increases blast radius by changing global integration behavior, which could affect unrelated skills or routes and create unintended data flows without clear user-scoped consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs proactive modification of global hook configuration even though webhook/report plumbing is broader than the core meeting-bot function. Automatic edits to shared webhook mappings can reroute events, break existing automations, or create unintended ingestion paths affecting the wider workspace.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The transform converts webhook data into an agent task that goes beyond generating a meeting report by instructing the agent to modify long-term entity memory files. Because the trigger is external webhook input and the workflow automatically promotes meeting-derived content into persistent knowledge, an attacker or malformed payload could cause unauthorized or low-integrity data to be written into memory, expanding the effect beyond the single meeting report.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The CLI exposes webhook management and voice-agent prompt configuration even though the stated skill purpose is limited to joining meetings and retrieving transcripts, recordings, and reports. This expands the effective attack surface and grants configuration-changing capabilities that a caller may not reasonably expect from the manifest, creating a scope-mismatch risk and possible misuse of downstream integrations.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The file includes endpoint switching and per-endpoint API key management that are not reflected in the manifest description. While useful operationally, hidden environment-management features can route data to unexpected backends or store secrets in places users did not anticipate, which is a trust and security-boundary issue.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The command allows setting an arbitrary webhook URL without any apparent validation, restriction, or disclosure. In a meeting/transcript tool, this can silently redirect meeting-derived events or metadata to attacker-controlled infrastructure, causing unauthorized data exfiltration or covert monitoring.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The CLI permits reading, setting, and resetting the voice-agent system prompt, which is unrelated to the narrowly described meeting-bot skill. System prompt changes can alter downstream agent behavior in powerful and potentially unsafe ways, including data handling, persuasion, and execution patterns, making this an unexpected privileged capability.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly tells users to paste their VEXA API key into chat and says the agent will write it to a local secrets file. API keys are highly sensitive credentials, and requesting them in chat increases the risk of disclosure through chat logs, model retention, prompt injection side channels, screenshots, or accidental sharing with other tools and plugins.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions encourage users to paste an API key into chat and immediately persist it locally, but they do not clearly warn about the privacy implications of transmitting secrets through conversation logs. This can expose credentials to logging, retention systems, screenshots, or mishandling by downstream tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script fetches meeting transcripts and emits a snippet of transcript text to stdout in its JSON output without any interactive warning, consent gate, or redaction. Because meeting transcripts may contain sensitive business or personal information, this can unintentionally disclose private content into terminals, logs, CI artifacts, or downstream tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow persists the VEXA_API_KEY to disk by default (`parseBool(args.persist) ?? true`) immediately after entry, without an explicit opt-in confirmation. Even though the file is created with mode 0600, default persistence increases the chance of credential exposure through backups, accidental commits, local compromise, or multi-tool secret discovery on the host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The returned message embeds the raw webhook payload directly into the agent-visible prompt, allowing untrusted external data to influence subsequent agent behavior. If the payload contains adversarial text, it can act as prompt injection through fields copied into the message or JSON dump, potentially altering what files the agent edits, what commands it runs next, or what data it trusts during report creation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code sends user-supplied webhook URLs to the backend without any user-facing warning about what data may later be delivered there. In the context of meeting bots and transcripts, this lack of transparency increases the risk of unintended sharing of sensitive meeting metadata or content.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the assistant to collect a user's API key in chat and write it into a secrets file. Secret collection through chat creates avoidable exposure risk because conversational systems may log, retain, or surface the credential beyond the intended scope.

Ssd 3

Medium
Confidence
97% confidence
Finding
These later steps repeat the instruction to receive the API key via chat and persist it immediately, reinforcing insecure secret-handling behavior. Repetition normalizes sharing credentials in-band and increases the chance the workflow is followed without considering logging or retention risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal