ClawHub

Skill Vexa

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Vexa meeting assistant, but its optional webhook automation can turn external meeting events into agent tasks that write persistent local memory.

Install only if you are comfortable giving the skill access to Vexa meeting data, recordings, bot controls, and local report storage. Keep the webhook disabled unless you need automatic reports; if enabling it, restrict the public hook endpoint, verify hook authentication, and review any memory/entity changes before relying on them. Do not configure custom endpoints or share/download links unless you trust where meeting data will go.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The onboarding script reads unrelated local OpenClaw configuration and session state from the user's home directory to determine hook setup and prior webhook activity. That crosses the skill boundary and accesses data not required for core onboarding, creating privacy and trust issues and increasing the blast radius if the script is run in a sensitive local environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script can extract the local hook bearer token from OpenClaw config and use it to send an authenticated synthetic webhook to the local gateway. Even though intended for testing, this bypasses normal trust assumptions and could inject fabricated meeting events into the local automation pipeline, potentially triggering downstream actions or poisoning state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The transform converts an untrusted webhook into high-authority agent instructions that go beyond generating a meeting report and direct writes to persistent `memory/entities/` stores. This is dangerous because any party able to influence webhook delivery or payload selection can trigger unintended state changes in the agent's local knowledge base, creating a confused-deputy path from external event input to persistent modification.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The injected task explicitly instructs the agent to create or modify local entity files, which expands the effect of a webhook from passive event handling into persistent filesystem mutation. In this skill context, webhook payloads are external and potentially attacker-controlled, so embedding them into an instruction-following message increases the risk of unauthorized or misleading updates to long-lived memory stores.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill allows arbitrary API base URLs and stores per-endpoint API keys, which lets the CLI be retargeted to non-Vexa or attacker-controlled backends while continuing to send authenticated requests and potentially sensitive meeting metadata. In a skill advertised for a specific SaaS purpose, this broad retargeting increases the risk of silent data exfiltration or credential misuse if endpoint config is tampered with or users are tricked into switching environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script retrieves meeting metadata and transcript snippets, then prints them directly to stdout as JSON. Stdout is commonly captured by shells, CI logs, agent telemetry, or wrappers, so sensitive meeting URLs, names, IDs, and transcript content can be exposed without any minimization or explicit user confirmation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes full meeting transcripts and metadata to a local markdown file under the current workspace without any consent prompt, sensitivity warning, retention control, or file permission hardening. Because transcripts may contain confidential business discussions, participant data, and meeting URLs, this creates a real privacy and data-exposure risk if the workspace is shared, synced, indexed, or later exfiltrated by other tools.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The transform embeds raw webhook payload data directly into the generated message that the downstream agent will read, mixing untrusted input with executable-style task instructions. This creates a prompt-injection surface where attacker-controlled payload fields can influence agent behavior, leak sensitive meeting data into downstream contexts, or manipulate report content without any boundary, sanitization, or disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal