ClawHub

OMNI Semantic Signal Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OMNI wrapper, but it gives the agent broad shell-like command execution and local log retrieval without meaningful in-plugin limits.

Install only if you intentionally want to give OpenClaw a shell-like local command tool routed through OMNI. Verify the OMNI binary and prefer an absolute omniPath, keep normal command approvals enabled, avoid running commands that print secrets, and periodically clear or inspect the local OMNI archive if sensitive output may be captured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The README presents the skill as a local semantic filtering bridge, but the documented `omni_cmd` tool is a general-purpose command execution interface equivalent to `shell` or `bash`. This creates a capability mismatch: a user or reviewer may trust the skill as a passive filtering component when it actually enables arbitrary local command execution, which can lead to filesystem changes, data access, or code execution under the agent's privileges.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The README explicitly documents arbitrary shell-style execution via `omni_cmd` with input like `{ "command": "npm install" }` and says to use it exactly like `shell` or `bash`. For a skill whose stated purpose is semantic context filtering, exposing unrestricted command execution is dangerous because it allows destructive or sensitive operations unrelated to filtering, including downloading code, modifying the system, or exfiltrating local data through invoked commands.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation materially understates the skill's operational scope by presenting it as context filtering while also describing a terminal execution proxy with persistent log archival and rewind. In this context, the mismatch makes the skill more dangerous because it is embedded in an agent workflow where understated capabilities can lead to overtrust and unintended access to local command output and stored history.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Calling the tool a 'secure proxy' or 'secure bridge' is misleading when `omni_cmd` is described as executing arbitrary terminal and development commands. Security-oriented language can create false assurance and reduce scrutiny, while arbitrary command execution remains a high-risk primitive regardless of safer spawning details like `execFile`.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The plugin advertises local semantic filtering, but it registers a tool that executes arbitrary terminal commands supplied at runtime. That mismatch is security-relevant because it hides a general command-execution capability behind an innocuous description, increasing the chance that users or higher-level agents invoke it without appropriate trust assumptions or restrictions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The omni_cmd tool accepts an arbitrary string command and forwards it to the OMNI binary as an execution request, effectively exposing a shell-like terminal capability. Even though execFile avoids direct shell injection in Node.js, the tool still enables arbitrary command execution through the downstream binary, which is far broader than the stated skill purpose and can be abused for destructive actions, persistence, or data access.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation frames the module as a semantic distillation engine, while the actual behavior is terminal execution and archive retrieval. This deceptive or inaccurate framing is dangerous because it reduces operator scrutiny and undermines informed consent, making a high-risk capability appear routine and low-risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes shell-like execution but does not clearly warn that commands may install software, alter files, access secrets, or otherwise impact the host system. In an agent setting, missing impact warnings increase the chance that users or downstream integrators treat the tool as low-risk infrastructure rather than a privileged execution surface, making accidental misuse more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal