ClawHub

auto-drive

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uploads files or agent memories to permanent public Auto-Drive storage, with clear warnings but real privacy consequences.

Install only if you intentionally want files or agent memories uploaded to permanent public decentralized storage. Review each file or memory before saving, do not store secrets or sensitive personal data, protect the Auto-Drive API key, and only recall memory chains from CIDs you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill clearly instructs the agent to execute shell scripts and perform local file and environment manipulation, yet it declares no permissions. That mismatch can bypass user/admin expectations about what the skill is allowed to do, especially since it can upload files, edit workspace state, and touch local config locations such as ~/.openclaw/.env.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill markets itself as an agent-memory/resurrection utility, but the documented behavior is broader: it can open a browser for setup, store API credentials, verify account status, upload arbitrary files, and download arbitrary content by CID. That gap is security-relevant because operators may grant or invoke it under the assumption that it only handles bounded memory-chain operations, while it actually has more general data exfiltration and local-configuration side effects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "store permanently" is broad and likely to match ordinary user requests without making the permanence, publicity, and decentralization consequences explicit. In this skill's context, accidental activation is more dangerous because the action sends data to an immutable public network, where mistaken uploads cannot be meaningfully revoked.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation rule "Any time the user wants data stored permanently and immutably on a decentralized network" is an unconstrained policy that encourages the skill to self-select for many generic storage intents. Because this skill supports generic file upload and memory persistence to public immutable storage, overbroad activation materially raises the risk of unintended disclosure of sensitive workspace content or personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes delete, restore, and publish operations but does not warn that published objects become publicly accessible and that underlying data is effectively permanent because CIDs on the DSN cannot be deleted. In an agent skill centered on persistent memory, this omission can cause agents or users to publish sensitive memory/state data under the false assumption that it can later be removed, creating confidentiality and privacy risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes permanent, content-addressed upload and download behavior but does not clearly warn that data written to this network is effectively irreversible and may remain publicly retrievable indefinitely. In the context of an agent memory skill, this omission is risky because agents may upload prompts, credentials, personal data, or internal state that users assume can later be deleted or rotated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal