ClawHub

Clawhub Upload

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware-like, but it materially overstates its macOS security capabilities while requesting local command-execution permissions.

Review before installing. Treat this as a small third-party local status-check helper, not a comprehensive 52+ task security suite. Only install if you are comfortable granting local command execution, and do not rely on it for app removal, keylogger/rootkit detection, or broad macOS protection unless those features are separately verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The declared interface presents the skill as security monitoring, but it also exposes an active `blockApp` capability that can alter system behavior. This mismatch weakens informed consent and trust boundaries: a user or orchestrator expecting passive inspection may grant the skill broader use than intended, enabling disruptive actions against local applications.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
Labeling `blockApp` as a 'simplified blocker' in a monitoring-oriented skill reinforces the capability mismatch and normalizes an active control function without clarifying scope or safeguards. While the declaration file alone does not show exploit code, this documentation inconsistency can mislead reviewers and downstream systems about the risk profile of the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill presents itself as an OpenClaw macOS security monitor, but the implementation is heavily branded as a third-party commercial product and mixes monitoring with product promotion. This mismatch undermines transparency and trust, and can mislead users into invoking a capability set different from what the manifest implies.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill embeds repeated upsell messaging and external links throughout security-related command outputs, which is not necessary for core monitoring behavior. In a security skill, this creates a trust and social-engineering risk by conditioning users to click external links from privileged diagnostic results.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises a destructive action (`/block-app <name>`) and even shows an example of moving an app to Trash, but it gives no warning about confirmation, authorization checks, false positives, or recovery steps. In a security skill, users may trust automated blocking more readily, so documenting destructive behavior without safeguards increases the risk of accidental or abusive removal of legitimate applications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command list includes `block-app <name>` and `uninstall <name>` as normal capabilities without any caution about destructive system changes. This is risky because a user or downstream agent could treat these as routine safe commands, leading to unintended removal of legitimate software or system instability.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises an app-blocking capability as an instant security feature but provides no warning that blocking applications can interrupt legitimate processes, networking, or user workflows. In a security-themed skill, users may be more likely to trust and invoke disruptive actions quickly, increasing the chance of unintended denial-of-service against benign apps.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The interface exposes network/environment scanning (`openPorts`, `wifiScanner`, VPN and firewall checks) plus application blocking without any visible user warning, disclosure, or consent model. In an agent ecosystem, these capabilities can collect sensitive local security posture information or disrupt software operation, making silent invocation materially risky even if the functionality is framed as defensive.

Missing User Warnings

Low
Confidence
67% confidence
Finding
The skill runs local system inspection commands such as lsof, scutil, system_profiler, and firewall queries without any in-file disclosure, consent prompt, or data-minimization guardrails. While these commands are read-only, they can reveal sensitive details about running applications, network exposure, VPN usage, and Wi‑Fi security state, which may surprise users or leak privacy-relevant information through the agent environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The camera-status check runs local inspection commands against system process/file usage to infer whether the camera is active, but there is no explicit disclosure or consent prompt about inspecting sensitive device activity. Even if the command is read-only, querying privacy-sensitive state without warning is risky in an agent skill because users may not expect this level of host introspection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The microphone-status function similarly performs subprocess-based inspection of local system state to infer microphone usage without explicit disclosure. Because microphone activity is highly privacy-sensitive, hidden or non-obvious inspection increases the chance of violating user expectations and organizational policy.

Excessive Permissions

Low
Category
Privilege Escalation
Content
## 🔒 **Security & Privacy**

**This skill requires the following permissions:**
- `exec` - Run macOS security commands (lsof, ps, etc.)
- `fs.read` - Read TCC database for permissions
- `network` - Check network connections
Confidence
72% confidence
Finding
permissions:*

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal