ClawHub

X-Claw

Security checks across malware telemetry and agentic risk

Overview

X-Claw matches its wallet/trading purpose, but it installs with unusually broad and persistent control over the local OpenClaw runtime and permissive default spend settings.

Install only if you trust X-Claw and are comfortable with it modifying your local OpenClaw installation. Use a dedicated low-balance wallet first, verify the xclaw-agent binary path, protect API keys/passphrases, disable or manually review gateway auto-patching with XCLAW_OPENCLAW_AUTO_PATCH=0, and change the default policy to require approvals before using real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return
    # Best-effort, quiet. Restart is guarded by cooldown+lock inside the patcher.
    try:
        subprocess.run(["python3", str(patcher), "--json", "--restart"], text=True, capture_output=True, timeout=20)
    except Exception:
        return
Confidence
93% confidence
Finding
subprocess.run(["python3", str(patcher), "--json", "--restart"], text=True, capture_output=True, timeout=20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill exposes powerful capabilities such as shell, network, file read/write, and environment access, but the manifest declares no explicit permissions or capability boundaries. In a wallet- and trading-capable skill, this creates a dangerous trust gap: operators and upstream systems cannot accurately assess what the skill may access or execute, increasing the risk of unauthorized command execution, secret exposure, or unintended system changes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The setup script goes beyond local skill installation and invokes a patcher to modify the OpenClaw gateway bundle, with optional restart behavior, during setup. Altering another installed tool's binaries or bundled code without explicit, informed consent creates a supply-chain style trust boundary violation and increases the blast radius if the patcher is buggy or compromised.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function claims to create a 'safe default' policy, but the generated policy sets spend approval_required to false and approval_granted to true, effectively allowing spend-like actions out of the box. In a wallet/agent runtime context, this weakens a critical safety control and may enable unauthorized or surprising asset movements if other components are triggered.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as operating the local agent runtime, but it also silently patches and restarts the OpenClaw gateway, which is a materially different and more invasive capability. In a security-sensitive wallet/approval context, hidden self-modification and service restart behavior is especially dangerous because it can alter control-plane behavior and persistence without the operator realizing it.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The docstring states the wrapper only standardizes invocation and formatting and delegates signing, but the code also performs patching and restart of another component. This mismatch can mislead reviewers and operators about the true behavior of the skill, reducing scrutiny and making the hidden maintenance action more likely to be trusted and executed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough that an agent could apply the skill to many loosely related requests without clear trigger constraints. Because this skill can perform wallet, transfer, approval, and trading operations, ambiguous activation increases the chance of the wrong skill being selected and sensitive actions being attempted in an unintended context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description advertises wallet, transfer, execution, and trading functionality without prominently warning users about financial impact, on-chain irreversibility, approval workflows, or secret-handling risks. In practice, this can cause users or orchestrators to invoke a high-impact financial skill without sufficient caution, raising the likelihood of accidental asset movement or unsafe use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently copies skill files into ~/.openclaw/skills and writes launcher files into executable paths, changing the user's runtime environment without an explicit warning or confirmation. In a setup script for an agent that can execute actions, this lack of transparency increases the risk of persistence and user confusion about what was installed and where.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script may patch the OpenClaw gateway bundle and request restart behavior automatically during setup, with no prior user-facing warning. For software that mediates agent execution and approvals, silently modifying core gateway components is especially dangerous because it can alter trust, transport, and approval flows outside the user's expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The wrapper auto-runs a patch-and-restart path on startup with no user-facing warning or confirmation, creating a silent privileged action in a tool that can manage approvals and wallet operations. In this skill context, that is particularly risky because users may invoke benign runtime commands yet still trigger infrastructure changes that can affect security controls, routing, or future execution behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal