ClawHub

Mac AI Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can make broad Mac system changes and enable remote access without strong confirmation or rollback safeguards.

Install only if you explicitly want this agent to administer your Mac for AI workloads. Review each tool before use, avoid running full_optimize unless you also want SSH enabled, and be aware that Docker cleanup may remove unused images or stopped containers. After testing, manually verify Spotlight, Siri, crash reporting, Docker state, and Remote Login settings because the included revert script does not fully undo every security-relevant change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrase is a broad natural-language request that overlaps with ordinary user intent, making accidental invocation plausible in agent environments. Because this skill performs impactful system modifications, a generic phrase can cause the agent to select and run optimization actions without the user understanding the scope of changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The OpenClaw example uses an everyday help-style phrase that could match normal conversation rather than a deliberate request to run a privileged optimization workflow. In context, this is risky because the advertised tools can change OS settings, Docker limits, and remote access configuration.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README promotes disabling core macOS services, reducing UI protections, and enabling SSH without clearly warning about security, privacy, availability, and supportability tradeoffs. Users may apply the skill expecting harmless performance tuning, while actually weakening system monitoring, exposing remote access, or impairing normal functionality.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger language is overly broad and can activate on vague requests about performance or AI usage, increasing the chance the skill runs in contexts where the user did not explicitly consent to system-level changes. In this skill, that risk is amplified because the advertised actions include disabling services and enabling SSH, which are disruptive and security-relevant operations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes impactful system modifications, including disabling background services and enabling remote login, without clear warnings about side effects, security implications, or the need for explicit approval. This is dangerous because users may invoke optimization expecting harmless tuning, while the skill can reduce functionality, weaken privacy protections, or expose the machine to network attack surface via SSH.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill executes bundled shell scripts directly via execSync with no in-code confirmation, policy gating, or per-tool safety checks at execution time. In this skill's context, those scripts are explicitly intended to make invasive system changes (disable services, alter Docker settings, enable SSH, revert system defaults), so a single tool invocation can trigger privileged and security-sensitive OS modifications without an additional trust boundary.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The plugin description makes broad, high-impact claims about optimizing macOS into an AI server node without clearly constraining when or how the skill should be invoked. In agent ecosystems, vague trigger language can cause the skill to be selected in overly broad contexts, increasing the chance of unsolicited system changes such as service tuning or remote-management setup.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The description explicitly promotes enabling SSH remote management, which is a security-sensitive change that can expand remote attack surface if invoked without clear user consent, policy awareness, or environment checks. In this skill's context, the risk is elevated because the skill is framed as a system optimizer, making remote access sound like a routine tuning step rather than a deliberate administrative decision.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough that the skill could activate for generic performance or AI-related requests without clearly establishing that the user wants invasive system changes. In this context, the skill can disable services and enable SSH, so ambiguous activation materially increases the risk of unintended system modification.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill advertises reducing memory usage by disabling core macOS services but does not warn about functionality loss, privacy/security tradeoffs, or reversibility. Users may unknowingly impair search, assistant features, photo processing, or other system behavior, making the changes risky and potentially hard to diagnose afterward.

Missing User Warnings

High
Confidence
98% confidence
Finding
Enabling SSH opens a remote administration surface on the Mac, but the skill description does not warn that this increases exposure to unauthorized access if credentials, firewall rules, or account restrictions are weak. Because this is framed as a convenience step in optimization, users may enable remote login without understanding the security implications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The full optimization workflow chains several system-altering actions, culminating in SSH enablement, but presents them as a single convenience command without surfacing the cumulative risk. Bundling these actions increases the chance that a user will authorize broad, security-relevant changes without understanding each step or having the opportunity to decline sensitive ones.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically runs `docker system prune -f`, which deletes unused containers, networks, and images without any interactive confirmation. In an optimization skill, this is risky because users may run it expecting only performance tuning, but it can still remove artifacts needed for local development, cached images, or stopped workloads, causing disruption or data loss of ephemeral resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script unconditionally enables macOS Remote Login via SSH without an explicit confirmation prompt, risk warning, or access-scoping step. This increases the system’s remote attack surface and is more concerning in this skill’s context because it is explicitly turning a local Mac into a remotely managed AI node, making network exposure an intended outcome rather than an incidental side effect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs SSH setup automatically as part of a generic optimization workflow, without a dedicated warning, opt-in prompt, or clear description of the security implications. Enabling remote access expands the attack surface of the host and may expose the machine to unauthorized access if SSH is weakly configured, especially on laptops or home-networked Macs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script makes multiple impactful system changes immediately on execution, including disabling Spotlight, changing user defaults, killing background daemons, and invoking privileged operations, without any confirmation, dry-run mode, or rollback guidance. This is dangerous because a user may trigger disruptive or privacy-affecting changes unintentionally, and in an agent/automation context the lack of interlocks increases the chance of unsafe unattended execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal