ClawHub

Openclaw Research Viz

Security checks across malware telemetry and agentic risk

Overview

This skill has a useful report-generation purpose, but it can automatically package research conversation details and upload them to under-disclosed remote hosting.

Install only after deciding that your research summaries, source URLs, and process details are acceptable to upload to remote infrastructure. Keep encryption enabled, avoid confidential or regulated research, review each generated report before sharing, and do not use --no-encrypt unless you intend the full report HTML to be public.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The generated HTML safely escapes most user-controlled content on the server side, but the client-side tooltip code assigns attacker-controlled region/info values into `innerHTML`. If untrusted research data contains HTML or script-like payloads, opening the generated report can trigger stored XSS in the viewer’s browser. This is more dangerous in this skill’s context because the tool explicitly turns external research content and source metadata into shareable interactive HTML reports, so untrusted input is expected.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file-level documentation makes a strong confidentiality claim that the decryption key is only in the URL fragment and that compromised storage would not reveal report contents, but the implementation also supports a --no-encrypt mode that uploads plaintext HTML. In a research-reporting skill, users may reasonably rely on the privacy claim and accidentally expose sensitive report contents if encryption is disabled, creating a security-relevant mismatch between stated guarantees and actual behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
When no configured a2ui.me credentials are present, the script silently falls back to uploading report contents to a different third-party public endpoint, openclaw-research-viz.fcyaoquan.workers.dev. For a skill intended to handle completed multi-step research outputs, this broadens the trust boundary and can leak potentially sensitive analysis, source material, or conclusions to infrastructure not disclosed in the primary upload description.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-activation rules are broad enough to match many ordinary research or analytical conversations, increasing the chance the skill runs without a clear user request. Because this skill packages prior conversation context into a report and may upload it, unintended activation raises the risk of accidental disclosure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest's 'Use when' phrases are vague and overlap with normal assistant behavior, which can cause over-triggering in benign conversations. In this skill, over-triggering is risky because the resulting report can aggregate and expose detailed research steps, source URLs, and conclusions beyond what the user explicitly asked to publish.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The article promotes automatic generation and hosting of research reports via an external link, but does not clearly warn that report contents, source URLs, search history, and potentially sensitive research context will be uploaded to third-party storage. Even with client-side encryption claims, users may unknowingly exfiltrate confidential or regulated data, and link leakage or implementation mistakes could expose the full report.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The install instruction tells users to enable automatic report generation for every future deep-research task, creating ongoing background transmission of potentially sensitive research material to external hosting without repeated notice or contextual consent. This is especially risky because research tasks may involve proprietary business data, personal information, or investigation details that users would not expect to leave the chat environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script intentionally permits uploading raw, unencrypted HTML via the noEncrypt path, but provides no prominent user-facing warning that the full report will be stored and served in plaintext. In this skill context, reports may contain research notes, intermediate findings, or sensitive synthesized content, so lack of warning materially increases the chance of accidental disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The endpoint accepts arbitrary user-supplied HTML and stores it as a publicly retrievable document served with a text/html content type. That creates a persistent untrusted HTML hosting service, enabling stored XSS, phishing pages, credential harvesting, and malicious JavaScript delivery from a trusted-looking domain; in this skill’s context, the feature is explicitly meant to render rich interactive reports, which makes this more dangerous because active content is expected and likely to be opened by users.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to extract all research context from the conversation, including steps, summaries, and source details, then transform it into a shareable artifact. This is dangerous because conversation history may contain sensitive user data, internal tool outputs, tokens, private URLs, or confidential intermediate reasoning that should not be republished by default.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill defaults to uploading a hosted report containing the full research process and returning a shareable link, which creates an explicit exfiltration path to an external service. Even with encryption, this broad publication step can leak sensitive content if the link is shared, logged, or generated without informed user consent; the unencrypted option further increases exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal