ClawHub

smart-keepalive

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: fetch brief content, ask OpenClaw or a configured command to format it, and send scheduled keepalive messages.

Install only if you are comfortable with a scheduled script fetching internet sources, invoking OpenClaw/Hermes or your custom commands, sending messages, and writing local logs/state. Do not set KEEPALIVE_AGENT_COMMAND, KEEPALIVE_SEND_COMMAND, RSS/weather URL overrides, or scheduler settings from untrusted input; disable KEEPALIVE_REST_REMINDER or KEEPALIVE_STATUS_FOOTER if recent activity or footer-generation privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'req' from os.getenv (line 549, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Pragma": "no-cache",
            },
        )
        with urllib.request.urlopen(req, timeout=12) as resp:
            html_text = resp.read().decode("utf-8", errors="ignore")
    except Exception:
        return ""
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=12) as resp:

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly supports KEEPALIVE_AGENT_COMMAND and KEEPALIVE_SEND_COMMAND, then executes them via /bin/sh -lc with the full environment and high-value data such as message content, target, and prompt injected into environment variables. This creates an arbitrary command-execution hook that can be abused by anyone who can influence runtime environment variables, and the shell execution path substantially increases risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill reads session metadata from agents/<id>/sessions/sessions.json to infer when the user was recently active and uses that to generate behavioral reminders. This is a privacy-sensitive behavior because it processes user activity history without an explicit consent mechanism or strong minimization, and it can reveal habits such as late-night activity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends message snippets and the agent identity name from local files into an external agent invocation to generate a status footer. Even if the data volume is small, it is user/session-derived content transmitted to another model/service path without an explicit warning, consent gate, or minimization controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal