ClawHub

Use OpenClaw Manual

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but its document-reading command can be used to read files outside the OpenClaw manual and it keeps local logs of user arguments by default.

Review before installing. Use it only if you are comfortable with shell scripts that sync docs from GitHub and write local logs. Do not pass untrusted paths to --read or --list, do not search for secrets, consider running with DISABLE_USAGE_LOG=true, and avoid setting DOC_NOTIFY_CHANNEL to public or sensitive channels until path containment and logging controls are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a local documentation lookup aid, but this script performs network access to GitHub and can emit notifications through the OpenClaw CLI. That mismatch expands the trust boundary: invoking the skill may disclose metadata such as repository access timing, token usage, local paths, or notification content to external systems when a user would reasonably expect only local reads.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The notification feature is unrelated to the core purpose of consulting official documentation and introduces an additional side effect via the OpenClaw CLI. Extra outbound messaging can leak local filesystem paths, update cadence, and environment-derived channel names, and it increases the attack surface beyond what users expect from a documentation helper.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script implements persistent usage telemetry even though the skill's stated purpose is to consult local OpenClaw documentation before configuration work. That mismatch is security-relevant because hidden or unrelated data collection increases the attack surface and can capture sensitive operator activity without a clear functional need.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The logger records command arguments and results verbatim, which can include secrets, file paths, tokens, prompts, or internal operational details. In a documentation-search skill, this telemetry is not justified by core functionality, so if the log is read by another user, process, or later exfiltrated, sensitive data may be exposed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes behavior that downloads files, writes to the local filesystem, updates a baseline file, and sends notifications, but it does not clearly warn users that these are state-changing and potentially externally visible actions. In an agent skill context, insufficient disclosure can cause unintended persistence, overwrite of local data, or unexpected outbound notifications when a user may assume the skill is read-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script logs raw user-supplied arguments for search, read, and list operations into usage.log by default, and only documents this behavior in the help text rather than warning at execution time or minimizing sensitive data capture. In this skill’s context, users may search for internal configuration names, paths, tokens, workspace identifiers, or other sensitive operational details, so persistent local logging increases the risk of inadvertent disclosure to other local users, backups, or later collection processes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The --read path is concatenated directly into "$LOCAL_DOCS/$doc" and only checked with -f, so values like "../../../../etc/passwd" can resolve outside the manual directory and be printed with cat. In an agent skill context, this turns a documentation tool into a local file disclosure primitive, which is significantly more dangerous because the agent may be induced to read secrets or system files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes usage data to a local log file without any visible disclosure, consent flow, or notice in this component. Undisclosed persistence of user activity is dangerous because operators may unknowingly place sensitive inputs into a durable artifact that can later be accessed, backed up, or transferred.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal