ClawHub

Ops Skills Pack

Security checks across malware telemetry and agentic risk

Overview

This skill pack is transparent about enabling autonomous OpenClaw operations, but it sets up recurring unattended work and broad persistent memory/logging without strong default safety boundaries.

Install only if you intentionally want OpenClaw to run recurring autonomous work. Before enabling cron, restrict allowed directories and actions, require approval for writes, cleanup, dependency installs, deployments, external API actions, and auto-fix commands, set time and cost limits, and test with dry runs. Keep memory and log markdown files out of version control, store no secrets in them, redact raw errors and inputs, and review scheduled jobs regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (23)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The maintenance examples go beyond cron orchestration and instruct the agent to perform privileged system-administration tasks such as repair, cleanup, and security auditing. In an unattended scheduled context, this expands the skill's authority and can cause unintended system changes or normalization of high-risk actions without clear operator approval.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill is introduced as a mechanism for resuming work via cron wake-ups, but later examples direct the agent to run system repair and security operations. That mismatch makes the capability more dangerous because users may enable a seemingly simple scheduling skill without realizing it authorizes broader autonomous administrative behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly proposes persisting security context such as credentials-management methods, rotation processes, emergency access procedures, and sensitive-data handling into long-lived local memory files, but provides no minimization, access control, encryption, or redaction guidance. Even if it does not say to store raw secrets directly, normalizing storage of security-sensitive operational details increases the chance that secrets, recovery procedures, or privileged handling notes are captured in plaintext and later exposed or misused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description explicitly promotes overnight autonomous operation, self-expanding task lists, persistent memory, and cron-based scheduled execution, but it does not include a clear warning that these behaviors can modify files or affect a user's system without immediate supervision. In a skill pack for infrastructure automation, this omission is security-relevant because users may enable powerful automation without understanding the operational and data integrity risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly promotes autonomous operation 'while you sleep' and self-directed task execution without nearby warnings about unattended modifications, review gates, or blast-radius limits. In an agent skill pack, this can normalize unsupervised code and data changes, increasing the chance of accidental destructive actions or persistence of faulty changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron setup section provides concrete commands for scheduled overnight execution that resume tasks and update logs, but it does not clearly warn that these jobs can change workspace contents and possibly broader system state unattended. This is risky because users may copy-paste the automation as-is, enabling recurring autonomous actions without understanding the need for scope restrictions and safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart instructs users to schedule unattended overnight cron tasks that let the agent continue work autonomously, but it does not warn about risks such as unintended file changes, unsafe command execution, cost exposure, or work continuing without supervision. In a setup guide for autonomous operations, omission of those warnings materially increases the chance of unsafe deployment by normalizing always-on agent activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README recommends running auto-remediation commands such as `openclaw doctor --deep --fix --yes` and `openclaw security audit --fix` without explaining what will be changed, what scope is affected, or that the commands may modify configuration or state automatically. In an agent-skill context, presenting destructive or state-changing commands as routine health checks is risky because operators or autonomous systems may execute them blindly, causing unintended changes or masking underlying issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quick-start section explicitly instructs users to configure a cron job that tells the agent to continue work autonomously overnight, but it does not include safeguards, approval boundaries, or a warning that unattended actions may modify systems without human review. In an operations-focused skill pack, this materially increases risk because users are encouraged to deploy persistent automated behavior in production-like environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly promotes unattended overnight execution that continues tasks, updates files, archives work, and modifies project state while the user is absent. Without a prominent warning, confirmation flow, or guardrails, this creates a substantial risk of silent destructive edits, runaway automation, or policy-violating actions happening outside active supervision.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The maintenance instructions include cleanup and recovery actions that may delete temporary files, alter state, or attempt repairs, yet the skill does not warn about data loss or operational side effects. In a cron-driven autonomous setting, these actions are more hazardous because they may execute repeatedly without human review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This guidance tells agents to capture full error messages, stack traces, system state, input data, and recent operations with no instruction to redact secrets, personal data, or tokens. In practice, error context often contains API keys, credentials, file paths, session data, prompts, and user content, so persisting or sharing it can directly leak sensitive information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The template explicitly asks for full stack traces and raw input data in persisted error logs. Those artifacts commonly contain secrets, personal data, internal paths, database details, and proprietary code context, making the template a strong driver of accidental sensitive-data retention and later disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The escalation template instructs agents to include full error details, logs, and code snippets and share them outward without any guardrail on confidentiality. Escalation broadens the audience for the data, so unredacted attachments can expose secrets, customer data, internal implementation details, or security-sensitive operational context to users or external systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The architecture section establishes a file-based persistence system for broad project and user context without any privacy boundaries, retention limits, or sensitivity checks. In practice, this encourages accumulation of potentially sensitive project metadata and contextual information in a durable location, increasing exposure through local compromise, syncing, backups, or accidental commits.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The USER.md template invites collection of personal profile details, working hours, timezone, deadlines, blocked items, and behavioral preferences in a persistent profile, but gives no warning to avoid sensitive, unnecessary, or regulated personal data. This creates a clear privacy risk because agents may over-collect personally identifiable or operationally sensitive information and retain it indefinitely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages detailed logging of test evidence, error messages, reasoning, and context, but it does not warn against including secrets, tokens, credentials, personal data, or other sensitive operational details. In an autonomous agent workflow, such logs are often persisted, searched, exported, or reviewed later, which increases the chance that sensitive data is unintentionally retained or exposed.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The cron examples normalize unattended automatic modification of progress-log.md without any warning about review, file integrity, or the risk of repeatedly appending inaccurate or sensitive state. While not directly exploitable by itself, this can amplify damage from bad prompts, agent errors, or sensitive-context leakage because changes occur on a schedule without human confirmation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document recommends auto-fix commands such as `openclaw security audit --fix` and `openclaw doctor --deep --fix --yes` without an explicit warning that they may change configuration, packages, permissions, or runtime state. In an autonomous-agent context, documenting destructive or state-changing commands as routine security operations can lead operators or downstream agents to execute them blindly and cause outages or unsafe reconfiguration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the agent to append discovered tasks to Todo.md and later instructs logging to progress-log.md as part of the autonomous loop, but it does not require user awareness, consent, or scoped limits on what files may be modified. In an agent setting, silent repeated file mutation creates integrity and auditability risks, especially when the skill is designed to run continuously and expand work on its own.

Missing User Warnings

High
Confidence
98% confidence
Finding
The cron integration section schedules overnight autonomous execution at 2am, 4am, and 6am with instructions to continue work while the user is away, yet it lacks a prominent warning about unattended operation and its consequences. This materially increases risk because the agent is encouraged to persist, modify artifacts, and make task-selection decisions without real-time human review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation instructions use a blind copy command that can overwrite existing workspace markdown files without an explicit warning, confirmation step, or safer flag. In this context those files are persistent agent configuration and memory artifacts, so accidental replacement could destroy user-customized settings, task history, or operational context and cause unsafe or incorrect future agent behavior.

Ssd 3

Medium
Confidence
95% confidence
Finding
The same USER.md section directs retention of broad user and context data without safeguards such as sensitivity classification, need-to-know filtering, redaction, expiration, or deletion controls. Because the skill is specifically about durable memory across sessions, the context makes the issue more dangerous: any sensitive data captured once is likely to persist and be reused well beyond its original purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal