ClawHub

E.x.O. Installer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed installer and health-check skill for E.x.O. tools, with powerful but purpose-aligned package install, update, clone, and optional monitoring commands.

Install only if you trust the E.x.O. npm packages and GitHub organization. Have your agent ask before running `exo install --all`, `exo update`, `exo internal clone`, or `exo cron setup`, and review any installed tools' own OpenClaw, memory, Telegram, and configuration behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises Telegram alerting and cron-based daily checks without clearly warning users that the tool may send outbound messages and install scheduled background tasks. Even if this behavior is legitimate, failing to disclose network egress and persistence-like scheduling reduces informed consent and can surprise users in sensitive environments where outbound communications or unattended jobs are restricted.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill presents installation, update, and auto-registration commands without clearly warning that they modify the local system, may install software from external sources, and can change OpenClaw configuration/state. This can cause users or downstream agents to run impactful commands without informed consent, increasing the risk of unintended package installation, configuration changes, or trust of private-repo operations.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal