ClawHub

OCTOOL for backup

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent OpenClaw backup tool, but it explicitly denies clipboard access while automatically copying high-impact shell commands to the clipboard.

Review carefully before installing. Use a fine-grained GitHub token limited to the intended private repository, inspect every generated command before pasting it into a terminal, and be aware that this version may overwrite your clipboard with shell commands despite claiming no clipboard access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code uses navigator.clipboard.writeText and a fallback copy mechanism even though the security declaration explicitly claims no clipboard API access. Clipboard writes can overwrite user clipboard contents and, in this context, proactively copy long shell scripts containing sensitive paths or repository details without sufficiently granular consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file claims it does not access clipboard APIs, but later code writes command text to the clipboard. This security mismatch is dangerous because it undermines user trust and can conceal behavior that causes users to paste commands they did not intend to copy, particularly in a tool that produces shell scripts for terminal execution.

Session Persistence

Medium
Category
Rogue Agent
Content
### 🔒 Privacy & Security (Please Read)
- **True Zero External Tracking**: All external dependencies have been removed. This tool runs 100% client-side in your local browser sandbox. The only external call is to `api.github.com` when you explicitly opt into Git mode. You can verify offline safety by opening DevTools > Network — zero requests without a GitHub token.
- **Credential Handling**: The GitHub PAT is used only for two `api.github.com` calls: `GET /repos/{owner}/{repo}` (verify access) and `PUT /repos/{owner}/{repo}/contents/{path}` (write backup). The token is stored in `sessionStorage` only — **it is automatically cleared when the tab is closed** and is never written to `localStorage`. We recommend a fine-grained PAT scoped to `Contents: Read and Write` on the target repo only.
- **Proxy Detection**: The generated `oc()` command detects system proxy using native macOS `scutil --proxy` piped through `awk`. No `node -e`, no `eval`, no dynamic code execution. Read-only syscall only.
- **Shell Command Generation**: This tool generates `sed`, `rsync`, `cp`, and `git` commands displayed as plaintext for your review. **No commands are auto-executed.** The `bash_profile` write command includes an idempotent guard (`OC_TOOL_BLOCK` marker check) — safe to run multiple times. All user inputs that flow into generated shell commands (paths, tags, commit messages, rsync excludes) are validated at generation time; inputs containing shell metacharacters are rejected with a visible error.
- **Local File Reading**: Files are read only when you explicitly drag them into the drop zone via the browser File API. No background disk access occurs.
Confidence
78% confidence
Finding
write backup). The token is stored in `sessionStorage` only — **it is automatically cleared when the tab is closed** and is never written to `localStorage`. We recommend a fine-grained PAT scoped to `

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal