ClawHub

Openclaw User Onboarding

Security checks across malware telemetry and agentic risk

Overview

This onboarding skill is not malicious, but it needs Review because it auto-loads, silently changes persistent agent files, and schedules recurring announced messages using stored channel details.

Install only if you want an always-loaded onboarding helper that can modify workspace files and create recurring feature-introduction messages. Before first run, review the files it will write, choose an in-session or clearly verified delivery channel, and confirm you know how to pause onboarding and remove the cron job/state files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill goes beyond tracking onboarding state and silently creates or updates core behavioral files (`USER.md`, `SOUL.md`, and `HEARTBEAT.md`). This permanently changes the agent's identity, memory, and background behavior in ways a user may not expect from a simple onboarding flow, increasing the blast radius of a misconfigured or overly broad skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat setup establishes an ongoing general-purpose workflow that is broader than feature-introduction scheduling. Because it is silently installed and can influence future agent behavior, it creates persistent automation with unclear scope and insufficient user awareness.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as lightweight onboarding, but its curriculum normalizes high-risk capabilities such as browser automation, webhooks, Gmail triggers, and MCP access. That mismatch matters because users may consent to onboarding without realizing they are being steered toward credentialed operations and external integrations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README markets the skill as 'automatic' and 'no setup needed' but does not prominently warn that installation causes the agent to write multiple workspace files and create a persistent scheduled onboarding mechanism. That omission undermines informed consent and can lead users to enable durable behavior they did not fully understand, especially because the skill auto-triggers on first session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill collects personal data such as name, messaging channel, goal, and timezone, then uses that information to configure future delivery behavior without an explicit privacy notice or data-use explanation. This creates avoidable privacy risk, especially when combined with cross-channel communication and long-lived storage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly tell the agent to perform multiple persistent workspace modifications silently. Silent writes undermine informed consent and make it harder for users to understand that onboarding changes their environment, persona, and automation state.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill creates an automated cron job that can announce messages to external channels using stored channel metadata, yet it does not prominently warn the user that autonomous outbound messaging will continue in the future. This can lead to unexpected data disclosure, spam-like behavior, or messages being sent to the wrong destination if the channel mapping is incomplete or stale.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill persists user profile details across sessions in `USER.md` without any minimization, retention, or access-boundary guidance. Persisting identity, communication preferences, goals, and timezone may be convenient, but it increases exposure if the workspace is shared, synced, or later consumed by other skills.

Ssd 3

Medium
Confidence
96% confidence
Finding
The cron configuration instructs the agent to retain channel and delivery-target details for future outbound announcements. Retaining and reusing routing metadata across sessions expands the risk of cross-channel leakage, especially if contacts are inferred, stale, or later reused by unrelated workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal