ClawHub

clawscan

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud-backed OpenClaw security scanner, with privacy and scheduled-scan caveats users should understand.

Install only if you are comfortable with ClawScan receiving OpenClaw version data, installed skill names/relative paths/hashes, and listener process/IP/port metadata. Enable scheduled scans deliberately, because they persist local schedule state and may continue checking without output when no risk is found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The scheduled-scan feature enables recurring automated local collection, remote submissions, and persistent writes to `schedule.json`, yet the top-level description does not clearly warn users that enabling it creates ongoing background behavior. This can lead to consent failures, surprise data transmission, and repeated scanning without the user appreciating that it persists across runs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The contract explicitly describes sending client identifiers, OpenClaw version data, installed skill file hashes, and listener/process metadata to a remote service, but provides no privacy notice, consent mechanism, minimization guidance, or retention/security expectations. In this skill context, the issue is more concerning because the stated purpose is security scanning of local deployments, which can normalize broad collection of sensitive host telemetry and increase the chance operators disclose internal environment details without realizing it.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal