ClawHub

Baton

Security checks across malware telemetry and agentic risk

Overview

The skill’s router purpose is understandable, but its installer and helper scripts appear to change agent behavior persistently, schedule execution, use provider credentials, and expose broad task status without enough user control.

Install only after reviewing the installer and disabling or confirming the cron job, BOOT.md/AGENTS.md changes, gateway restart, provider probing, and all-agent status access. This looks like an overbroad orchestration/admin skill rather than clear malware, but it should be treated as Review until its scope, consent prompts, and authorization boundaries are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (25)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The startup routine grants the skill persistent local state, autonomous execution on every restart, and the ability to resume prior tasks, which exceeds the declared role of a passive request router. This mismatch increases the attack surface and can enable unreviewed background behavior, persistence, and unintended data retention.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file instructs Baton to read provider configuration, including API key references, and to run scripts that use those credentials to query external provider APIs. For a skill described as only routing requests, this is over-privileged access to sensitive configuration and creates risk of credential misuse, unintended exfiltration, or expanded external communication beyond user expectations.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill description says Baton 'never does work itself,' yet the boot file assigns it onboarding, config inspection, helper script execution, task management, and autonomous resumption behavior. This capability mismatch is dangerous because operators may grant trust based on the published role while the actual instructions authorize substantially broader and more invasive actions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The directives say Baton 'never does work itself,' yet the skill is instructed to do planning, validation, retry-prompt construction, and startup actions directly. This inconsistency can bypass user expectations and any controls designed for a pure router, leading to unauthorized local actions or unreviewed decision-making inside the orchestrator.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
Across the full skill document, the claimed role of a pure orchestrator is contradicted by direct task handling steps and operational logic. In security terms, this broadens the trusted computing base and can cause operators to underestimate what the skill may do with its granted permissions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The onboarding guide materially expands the skill's behavior beyond simple orchestration by instructing provider probing, model capability research, and policy collection. That mismatch creates an overprivileged/underdeclared capability surface, making it easier for operators to authorize a routing-only skill that actually performs administrative and discovery actions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Web-search-based capability discovery is outside the stated role of a pure request router and introduces external data transmission and content ingestion. In this context, the mismatch is dangerous because users may not expect this skill to send model/provider identifiers or derived queries to third-party search services.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide instructs execution of local probing scripts even though the skill is described as only routing requests to subagents. This expands the operational authority of the skill into local script execution and environment interrogation, which can be risky if users grant trust based on the narrower manifest description.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Collecting model and agent restriction policies is an administrative control function, not simple routing. While not inherently malicious, embedding policy administration in a routing-only skill blurs trust boundaries and can lead to unintended control over model availability and agent behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The installer performs broad system and workspace modifications, creates persistent state directories, schedules automation, and controls the OpenClaw gateway, which exceeds the declared role of a passive orchestrator. This mismatch is dangerous because users may install the skill expecting simple routing behavior, while the script silently alters execution context and platform behavior in ways that can persist across sessions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script schedules an autonomous one-shot cron job that instructs the agent to read and follow BOOT.md exactly, enabling unattended post-install execution. Autonomous execution is risky because it creates persistence and can trigger behavior outside the user's immediate awareness, especially when coupled with startup hooks and instruction files that influence future agent sessions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Restarting the OpenClaw gateway is an administrative action that changes runtime state for the whole environment and immediately activates modified boot and agent instructions. This is dangerous because it applies persistent configuration changes without prior approval and can disrupt active sessions or force newly injected instructions to take effect immediately.

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
The helper performs live probing of provider APIs and local OpenClaw CLI commands, including resolving API keys from configuration/environment and making outbound requests. In the context of a skill advertised as a pure router, this expands the trust boundary significantly: a routing helper now has network egress and secret-adjacent access, which can be abused to enumerate providers, consume quota, or contact attacker-controlled endpoints if configuration is poisoned.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script explicitly reads provider configs and resolves API key material in order to make outbound HTTP requests. Even though it attempts to sanitize output, this is a sensitive capability for a general orchestration helper: compromise of probe configuration, malicious provider endpoints, or future logging/debug changes could expose secrets or cause unauthorized use of credentials against unintended destinations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The --all-status path exposes instance-wide task data for all agents but performs no authorization in this script, explicitly trusting the caller to have checked elevation. Any agent or caller that can invoke this helper directly can bypass the intended privilege boundary and enumerate other agents' tasks, activity, and cost metadata.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The comments claim all-agent status is elevated-only and checked before invocation, but the implementation contains no such check. This mismatch is dangerous because it creates a false sense of safety while leaving sensitive cross-agent visibility accessible to any direct caller of the script.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The catch-all routing rule ('else | Decompose and Execute') means any unrecognized request is pushed into execution flow by default. That increases the risk of unintended task execution, especially when combined with script execution privileges and startup behavior, because ambiguous or malformed prompts may still trigger operational actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs itself to run a startup routine automatically based on a file freshness check, before handling any request and without requiring explicit user warning or approval. Because the metadata includes exec:scripts, this creates a credible path to silent script execution and environment modification triggered merely by invoking the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instruction to run web search omits any notice that provider/model identifiers and search terms may be sent to external services. This can leak internal naming, deployment choices, or other operational metadata, especially in enterprise environments where provider/model selections may be sensitive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to write task data to disk as part of normal operation, but it does not require user notice or confirmation before modifying local files. In an orchestration skill that routes arbitrary user requests to subagents, silent persistence increases the risk of unintended data retention, workspace pollution, and writing sensitive content derived from user prompts without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The scheduled-task instructions direct the agent to register cron jobs for recurring execution without requiring a prominent warning, confirmation, or clear opt-in for persistent automation. Because this skill is an orchestrator that can spawn subagents and continue future activity, unattended scheduling materially raises the risk of unexpected repeated actions, ongoing resource use, and persistence beyond the user's immediate session.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger lists are broad enough that many ordinary user prompts could match multiple categories, which can cause the orchestrator to misclassify tasks and route them to an inappropriate subagent. In a routing skill like Baton, classification errors directly influence downstream tool/model selection, increasing the chance of over-privileged execution, unnecessary agentic behavior, or incorrect handling of sensitive requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer writes to BOOT.md and potentially prepends content to AGENTS.md without any confirmation, directly changing workspace instructions that govern future agent behavior. Modifying these control files silently is dangerous because it can persistently alter how the agent operates and may override user expectations or existing workspace policies.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script schedules a cron job and then restarts the gateway without pre-action confirmation, combining persistence with immediate activation. This is dangerous because the user is not given a chance to review or deny sensitive actions that affect system scheduling and service availability, increasing the chance of unintended or opaque behavior.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The configuration explicitly states that external Ollama hosts are treated as unlimited unless the user specifies otherwise. That assumption is unsafe because non-local hosts may enforce quotas, proxy limits, billing, or shared-capacity controls, and misclassifying them can cause the orchestrator to over-route requests, leading to service disruption, unexpected costs, or exhaustion of shared resources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal