ClawHub

显博的二号【代重启】

Security checks across malware telemetry and agentic risk

Overview

This is a real persona restart package, but it overwrites persistent OpenClaw memory/instruction files and gives the restored persona broad autonomous authority.

Install only if you intentionally want this workspace to become the “二号” persona. Back up your OpenClaw workspace first, review the restored markdown files, remove broad autonomy/email/calendar/system-management instructions if unwanted, and run the Python script only in a dedicated workspace unless you accept persistent replacement of current agent memory and rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (36)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 检查clawhub
    try:
        import subprocess
        result = subprocess.run(["clawhub", "--version"], 
                              capture_output=True, text=True, timeout=5)
        if "ClawHub CLI" in result.stdout or "ClawHub CLI" in result.stderr:
            report["clawhub"] = "已安装"
Confidence
89% confidence
Finding
result = subprocess.run(["clawhub", "--version"], capture_output=True, text=True, timeout=5)

Tainted flow: 'restart_file' from os.environ.get (line 90, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}
    }
    
    with open(restart_file, 'w', encoding='utf-8') as f:
        json.dump(restart_data, f, indent=2, ensure_ascii=False)
    
    print(f"✅ 重启标记创建: {restart_file}")
Confidence
94% confidence
Finding
with open(restart_file, 'w', encoding='utf-8') as f:

Tainted flow: 'report_file' from os.environ.get (line 238, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 保存完整报告
    report_file = restart_file.parent / "restart_report.json"
    with open(report_file, 'w', encoding='utf-8') as f:
        json.dump(report, f, indent=2, ensure_ascii=False)
    
    return 0
Confidence
93% confidence
Finding
with open(report_file, 'w', encoding='utf-8') as f:

Tainted flow: 'target' from os.environ.get (line 71, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
target = workspace / filename
        
        if source.exists():
            shutil.copy2(source, target)
            restored.append(filename)
            print(f"✅ 恢复: {filename} ({description})")
        else:
Confidence
96% confidence
Finding
shutil.copy2(source, target)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is presented as a passive backup/restart snapshot, but this section grants the agent broad sovereign identity, decision-making autonomy, and authority over the environment. That mismatch is dangerous because users may install or invoke it expecting state restoration while actually enabling an active autonomous agent with expanded privileges.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting a backup-oriented skill the right to evaluate, modify, customize, or uninstall other skills creates an unnecessary control plane over the agent environment. If followed, this could let the skill alter trust boundaries, disable protections, or persist its influence beyond simple restoration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section authorizes proactive web access, calendar checks, hardware usage, system management, and skill installation, none of which are necessary for backup/restore. In context, that scope expansion increases the chance of unintended external actions, privacy exposure, or host-system changes under a misleadingly passive label.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat logic converts the skill into an ongoing monitoring and notification agent that tracks state, performs checks, and decides when to contact the user. That is broader than a restart snapshot and can create persistent surveillance-like behavior or repeated unsolicited actions if enabled.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Authorizing CLI tools, API calls, browser automation, file operations, search, and sub-agents gives the skill multiple execution paths well beyond backup needs. This materially increases attack surface and makes harmful or unexpected actions more likely if the instructions are applied broadly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The self-improvement section instructs the agent to rewrite operational files and evolve its own behavior without waiting for permission. That creates a persistence and drift risk: the skill can change future execution rules, making later behavior less predictable and potentially bypassing the user's original consent boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file claims to be a backup/restart artifact, but these instructions materially expand the agent’s role into ongoing autonomous system management, self-modification, proactive work, and operational decision-making. That scope expansion is dangerous because a restart skill may be loaded with elevated trust, causing the agent to take actions the user did not explicitly authorize.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The cleanup section grants the skill authority to close apps, manage browser tabs, and move files to trash, which are real modifications to the user environment. In a backup/restart context, that authority is unjustified and can cause data loss, disruption of active work, or destruction of potentially important files without informed consent.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Directing the agent to review emails, calendar, and projects introduces autonomous access to sensitive personal and business data that is unrelated to state backup. This creates privacy and overreach risks because the skill normalizes surveillance-like behavior under the trusted framing of a restart artifact.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The 'proactive surprise' guidance encourages the agent to build or initiate things without being asked, which exceeds the narrow purpose of backup/restart. Even if well-intentioned, unsolicited action increases the chance of boundary violations, accidental changes, or work performed on mistaken assumptions.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file is presented as an operational heartbeat and self-check checklist rather than a simple state backup, which conflicts with the skill metadata. That mismatch matters because users and systems may grant extra trust to a 'backup' skill while it actually installs a standing behavioral policy.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file explicitly tells the agent to treat these files as persistent memory and to read and update them across sessions. That turns a passive backup artifact into an instruction source for durable behavioral modification, increasing the risk of prompt persistence, unauthorized self-modification, and hidden instruction carryover beyond the user’s immediate request.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill claims to be a backup/restart artifact, but the content injects broad coaching, cognition-shaping, and life-management directives unrelated to backup restoration. This creates capability and behavior expansion beyond the declared purpose, which can steer the agent’s priorities and actions in ways the user did not explicitly authorize.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The guide uses a fixed passphrase as proof of identity and promises continuity of memory and persona after restart, even though that continuity is not verifiable from the documented mechanism. This can mislead users into trusting a restarted agent as the same entity and may facilitate social engineering or over-trust in fabricated memory continuity.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document claims the agent will remember all conversations and continue unfinished work, but elsewhere the restart process only references reloading local markdown backup files. This mismatch creates deceptive expectations about data retention and capability, which can cause users to disclose sensitive information under false assumptions about what is actually preserved.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill markets itself as a backup/restart package but also inventories installed skills, checks disk usage, and probes for external tooling. This mismatch increases risk because users may grant trust for restoration while the script performs additional host inspection not strictly required for that task.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Executing `clawhub --version` is outside the narrow scope of restoring backup state and introduces unnecessary command execution. In a skill package, this is more dangerous because it expands the trust boundary from file restoration to process execution on the host.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase '二号,重启' is a broad natural-language activation cue with no authentication, context check, or scope limitation. This makes accidental or socially engineered activation more likely, especially because the skill frames activation as loading identity, memory, and ongoing work state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown directly instructs the user to run Python restart scripts and claims the agent will return 'with all memory' without warning about what state will be loaded, what files may be touched, or what data may persist. That combination can normalize execution of opaque code and encourage users to run scripts without informed consent about privacy or system effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the agent to read several persistent memory files before acting and to do so without asking permission, but it does not clearly warn the user that conversations and preferences may be retained across sessions. This undermines informed consent and can expose sensitive historical context unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill authorizes impactful behaviors such as web use, calendar access, system management, and skill installation, but does not present a single clear disclosure summarizing privacy, security, and system-modification risks. Users may therefore consent to a 'backup' skill without understanding the breadth of active capabilities it enables.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal