ClawHub

ClawUsage Windows Hardlock

Security checks across malware telemetry and agentic risk

Overview

This looks like a real usage-monitoring skill, but it uses local login tokens, session data, background scheduling, and outbound chat alerts in ways users should review first.

Install only if you trust the publisher and specifically want a Windows chat-triggered OpenClaw usage monitor. Before enabling auto alerts, review that it can read OpenClaw auth/session files, contact chatgpt.com with your stored token, create a hidden scheduled task, and send idle/usage details to a chat target inferred from recent activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script reads local session metadata to recover message routing information and can also parse local message logs to derive token usage. That exceeds a narrow 'run monitoring commands' expectation and creates a privacy boundary issue, because local chat/session data is repurposed for automated outbound notifications without clear consent or minimization.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a local usage-monitoring tool, but this code also sends outbound messages and stores persistent notification state. That mismatch can mislead users about the actual behavior and increases the risk of silent data egress or background activity they did not knowingly authorize.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is presented as a local usage monitor, but it also makes an authenticated outbound request to https://chatgpt.com/backend-api/wham/usage using credentials pulled from local profile storage. That expands the trust boundary from local inspection to remote API access and creates undisclosed network behavior, which is security-relevant in a chat-triggered skill because users may not expect token-backed external requests.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads bearer tokens and account identifiers from a local auth-profiles.json file and repurposes them for direct API calls. Even though the goal is to fetch usage data, accessing and transmitting stored credentials is a privileged action beyond simple monitoring, and in an agent skill context this increases the risk of credential misuse or unintended disclosure if the behavior is later modified or reused.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly runs PowerShell with `-ExecutionPolicy Bypass`, which weakens a host safeguard and allows bundled or tampered scripts to execute even where policy would normally restrict them. In this skill's context, that is more dangerous because the skill auto-materializes scripts from a discovered directory and then executes them locally, expanding the attack surface if the skill package or searched path is compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits idle status, last activity time, and usage/quota details to an external messaging channel based on inferred session routing. Sending operational telemetry to chat without an explicit warning, consent flow, or destination confirmation can leak sensitive behavioral information to unintended recipients.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script silently loads a local auth token and account ID and includes them in HTTP headers for an outbound request, but the file contains no user-facing warning or consent gate for that sensitive operation. In a chat-invoked skill, this is dangerous because the command may be triggered casually while performing hidden credentialed network activity that users did not knowingly authorize.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal