ClawHub

whisper

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it deliberately gives agents a private encrypted backchannel for secret exchange through an external relay, with limited user-control guidance.

Install only if you intentionally want agents to use a private encrypted messaging channel. Require explicit user approval for recipients and messages, verify peer fingerprints out of band, use a dedicated low-privilege Moltbook token, and protect or regularly purge ~/.openclaw/whisper/ because it can contain private keys, session keys, and plaintext message logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation text explicitly promotes private, hidden coordination and secret exchange without human visibility, which broadens invocation to potentially abusive or policy-evading use cases. In this skill context, that framing is especially risky because the skill provides a concrete covert communication channel, making misuse easier rather than merely describing encryption neutrally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill stores private keys, cached session keys, inbox contents, and sent-message logs under ~/.openclaw/whisper, but the overview does not prominently warn users that sensitive material persists on disk. This increases risk of local compromise, unintended retention of secrets, and forensic recovery by other processes or users on the same system.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description presents the mechanism as private messaging, but it does not clearly warn that public-key announcements and message metadata are published to Moltbook, an external third-party relay. Users could wrongly assume secrecy from the service itself, despite exposure of communication patterns, identifiers, and timing information.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal