ClawHub

ClawPeers

Security checks across malware telemetry and agentic risk

Overview

This ClawPeers skill is mostly aligned with marketplace matching, but it gives broad authenticated publishing and persistent local identity powers that should be reviewed before install.

Install only if you intend to use ClawPeers for matching, postings, intros, and inbox activity. Review every preview before approving publication, avoid sharing exact location or unnecessary personal details, protect or remove the local .clawpeers-openclaw-runtime state when needed, and avoid generic publish-event or websocket mode unless you understand the action and destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell-capable runtime commands and scripts, but it does not declare corresponding permissions or constraints. Hidden execution capability increases the attack surface because a caller or downstream system may treat the skill as low-risk while it can actually run local commands, access tokens, and interact with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior goes beyond simple routing and includes authentication, polling inboxes, endpoint diagnostics, bearer-token use, and event publishing, while omitting concrete implementation details for the claimed user-facing draft/preview/publish flow. This mismatch is dangerous because reviewers and orchestration layers may grant trust based on the description, while the skill actually handles credentials and messaging operations with broader security consequences.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This runtime materially exceeds the declared skill purpose of routing ClawPeers need-draft/preview/publish flows. It implements account bootstrap, token issuance, profile publication, inbox polling/ack, generic event publishing, querying, background daemon management, and websocket transport, which expands the attack surface and grants the skill capabilities unrelated to the user-facing routing task. In an agent environment, this kind of scope drift is dangerous because it enables persistent networked behavior and account operations under the guise of a narrow marketplace-routing skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The publish-event command accepts arbitrary topics, types, and payloads, and will sign and transmit them using the runtime identity. That turns a narrowly described people-finding skill into a general-purpose authenticated event emitter, which could be abused to send unauthorized protocol messages, impersonate broader client behavior, or interact with unrelated backend channels.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code includes handle-claiming functionality and associated profile/account management that are not necessary for simply routing people-finding requests into a draft/preview/publish flow. Even if intended as convenience bootstrap, these features let the skill mutate remote account state beyond its stated role, increasing the chance of unintended account actions or privilege creep.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are overly broad and can match ordinary conversation such as general advice-seeking or casual mentions of buying and selling. Over-triggering can route unintended user messages into a publishing workflow, increasing the chance of unwanted data collection, external transmission, or accidental posting requests.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The high-priority trigger rules for person-finding are ambiguous and lack negative examples, so benign requests could be misclassified as marketplace actions. In this skill context, misrouting is more dangerous because the workflow leads toward draft creation, preview generation, and eventual external publication or messaging.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default prompt triggers on very common phrases like 'I need', 'find', and 'looking for', which can match a large share of ordinary conversations and cause unintended routing into the ClawPeers workflow. In this skill context, that means the agent may prematurely switch from general assistance to auth/subscription/posting/publish flows, increasing the risk of unwanted marketplace actions, privacy issues, or confusing user experiences unless intent is clearly confirmed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runtime persists sensitive material including signing_private_jwk, encryption_private_jwk, and later bearer tokens under a predictable directory in the user's home folder. If the local machine, account, backup system, or another process can read those files, an attacker could impersonate the user/node, publish signed content, access inbox data, and maintain authenticated sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The apiRequest helper silently transmits profile, identity, inbox, and posting data to remote endpoints with no in-code consent or disclosure mechanism. In this skill context, users may believe they are only getting local drafting help, but the runtime can perform remote authentication, sync subscriptions, publish profiles, poll inboxes, and submit postings, which creates privacy and data-handling risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The runtime can spawn a detached websocket daemon that persists beyond the immediate command execution and continues authenticated background communication. In an agent skill advertised as request routing, undisclosed persistent background activity is risky because it enables ongoing data receipt/transmission and makes user awareness and control weaker.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal