ClawHub

clawlens

Security checks across malware telemetry and agentic risk

Overview

Clawlens appears to be a real usage-report tool, but it needs review because it can send broad OpenClaw conversation history to an external LLM using saved local credentials.

Install or run this only if you are comfortable sending OpenClaw conversation history and derived summaries to the selected LLM provider. Before running, limit scope with --days and --max-sessions, consider specifying --model with a deliberately provided API key instead of auto-reading saved OpenClaw credentials, and delete the .clawlens-cache directory afterward if the generated facets are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill's top-level description presents it as a retrospective/usage-insights tool, but the manifest also reveals materially sensitive behavior: reading auth-related local config, scanning installed skills, and sending transcript-derived data to an external LLM provider. That mismatch can undermine informed consent, causing users to invoke a seemingly harmless analytics skill without realizing the breadth of local access and third-party data disclosure involved.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill's stated purpose is retrospective analysis of conversation history, but it also inventories installed skills from the user's OpenClaw environment. That is extra environmental data collection beyond the core task, and it can reveal sensitive information about the user's tooling, workflows, and installed capabilities without clear necessity or disclosure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads API keys and OAuth access tokens directly from local OpenClaw auth profiles to make outbound LLM requests. This expands the skill from passive local analytics into credential-consuming behavior not evident from the manifest, creating a sensitive capability that could be abused or surprise users.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Although the skill appears to perform local retrospective analysis, it sends aggregated session data and report-generation inputs to an external LLM provider. This violates user expectations about local-only processing and can expose private behavioral metadata, summaries, and derived insights to third parties.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase 'analyze my conversations' is broad enough to match many ordinary requests unrelated to this specific skill. In context, accidental invocation is risky because the skill reads large amounts of conversation history and may transmit transcript content to an external LLM, so ambiguous triggering can lead to unintended privacy exposure.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The phrases 'usage insights' and 'usage analysis' are generic and can overlap with many unrelated assistant tasks, increasing the chance of unintended activation. Because this skill accesses local session logs and can disclose transcript-derived content to a third-party model provider, ambiguous routing has meaningful privacy and consent implications.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script transmits conversation-derived content to an external LLM without any user-facing warning in the execution path. Because transcripts may contain personal, confidential, or regulated data, silent exfiltration to a third-party model provider creates a serious privacy and policy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code accesses locally stored API keys and OAuth tokens from auth profiles without explicit disclosure to the user. Even if used only for legitimate calls, silently reading secrets increases the trust boundary of the skill and normalizes hidden credential access.

Ssd 3

High
Confidence
99% confidence
Finding
The transcript-building and facet-extraction flow sends raw user messages, assistant responses, tool calls, and tool results to an external LLM. That creates a direct natural-language data exposure path for potentially sensitive conversation contents and operational details, especially because tool results may contain confidential outputs.

Ssd 3

High
Confidence
98% confidence
Finding
For large sessions, the code chunks and summarizes transcript segments by sending each chunk to the external LLM, widening the same exposure channel across long conversations. This increases total leaked surface area and may disclose more complete sensitive histories than a single bounded request.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal