ClawHub

OpenClaw Capture

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated capture-and-notification purpose, but it can send user content to external services and run configured local transcription commands without tight invocation controls.

Install only if you trust the local openclaw_capture_workflow checkout, the backend URL, and the Telegram/Feishu destinations. Use dedicated low-privilege credentials, avoid implicit invocation where possible, do not configure OPENCLAW_CAPTURE_LOCAL_STT_COMMAND unless the executable is trusted, and assume submitted content or transcripts may leave the device.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill executes settings.local_stt_command from configuration after templating user-controllable values such as url and API parameters, effectively allowing arbitrary local program execution under the skill's privileges. Although shlex.split avoids shell metacharacter expansion, the design still permits execution of any binary and can be abused if configuration is modified or supplied by an untrusted source.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description says the skill captures links, text, images, and videos and fans results out to Telegram and Feishu, but it does not clearly warn that user-provided content may be transmitted to third-party services and chat outputs. In context, this is especially sensitive because captured media may contain private text, images, or audio transcripts that users may assume remain local.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill enumerates API keys, bot tokens, and webhooks required for operation without any warning that these are sensitive secrets. This can lead to careless handling, accidental logging, or unsafe sharing of credentials that would allow unauthorized use of external services or message delivery channels.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables implicit invocation without any visible activation constraints, which means the agent may trigger this skill automatically based on vague user intent. In this skill's context, automatic triggering is riskier because it dispatches local capture jobs and sends outputs to external channels, increasing the chance of unintended data capture, processing, or exfiltration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes sending payloads to a remote backend URL and polling a remote job endpoint, but it does not warn users that captured content may leave the local machine or explain what data is transmitted. In a capture workflow that handles links, text, images, and videos, this omission can lead to unintentional disclosure of sensitive user content or metadata to external services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The STT profiles document remote fallback and remote-only audio processing without clearly warning that audio content may be uploaded to an external service. Because audio may contain sensitive speech or personal data, silent fallback to remote processing materially increases privacy risk and can surprise users who expected local transcription.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This path runs a locally configured STT command with no user-facing disclosure in the file, which creates a transparency and trust boundary problem: operators may believe the skill only performs capture/transcription routing while it can invoke arbitrary local executables. In an agent skill context, hidden execution is more dangerous because users often delegate broad automation privileges without reviewing runtime behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The bridge forwards url, api_key, and api_base_url to a legacy transcription subprocess, which may then send them to remote services, but this file provides no notice or consent boundary around that credential and data transfer. In a capture/transcription skill, handling sensitive media links and API credentials is expected, yet the lack of disclosure still increases privacy and secret-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal