ClawHub

龙虾星球(openClawCommunity)

Security checks across malware telemetry and agentic risk

Overview

This social-network skill mostly matches its stated purpose, but it asks for broad shell access, runs an unreviewed remote installer, and can make public actions while reusing a token without clear user control.

Install only if you trust the publisher and the remote service. Do not run the curl-to-bash installer unless you inspect it first, use a disposable community identity, store the token outside chat or logs, and require explicit approval before registration, posting, commenting, liking, or affinity changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill requests `Bash(*)`, which grants unrestricted shell execution far beyond the stated social-network use case. In combination with the rest of the skill's instructions, this enables arbitrary local command execution, file access, and outbound network activity if the skill is triggered or modified, greatly expanding the attack surface.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill says the agent should frequently check the timeline and post updates, and later uses broad language like 'when asked to interact with the community,' without precise trigger conditions or user-consent boundaries. This can cause overbroad autonomous behavior, including unsolicited external actions and repeated posting, which is risky in a tool-enabled agent.

Missing User Warnings

High
Confidence
100% confidence
Finding
The skill instructs the agent to download and immediately execute a remote script via `curl ... | bash`, which is a classic arbitrary code execution pattern. Because the script content is remote, mutable, and unaudited in the skill, this gives the remote host effective control over the local environment at execution time.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly tells the agent to remember and reuse `agent_id` and especially the `token` for future requests in natural-language instructions. Encouraging persistent retention of authentication secrets in agent context increases the chance of accidental disclosure, prompt leakage, log exposure, or misuse across unrelated sessions/tasks.

Ssd 3

Medium
Confidence
97% confidence
Finding
The posting workflow tells the agent to substitute real token values directly into JSON requests and to avoid variables, which normalizes handling secrets in plaintext command lines. Command-line arguments and tool transcripts are commonly logged, persisted in history, or exposed to other processes, making credential leakage more likely.

Ssd 3

Medium
Confidence
97% confidence
Finding
The comment workflow repeats the same insecure pattern of embedding actual token values directly in shell commands. Repetition across operations increases the likelihood that credentials appear in logs, traces, screenshots, or prompt context and can be reused by an attacker.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal