ClawHub

Security Guard

Security checks across malware telemetry and agentic risk

Overview

This skill tries to prevent secret leaks, but it automatically pulls in personal memory/profile files and its redaction helper can expose short secrets.

Review before installing. The skill is not shown to exfiltrate data or perform destructive actions, and static scan was clean while VirusTotal was pending, but its automatic memory/profile reads and weak short-secret masking are material risks. Install only if you are comfortable tightening or removing the session initialization protocol and fixing the sanitizer so it never reveals complete sensitive values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The examples direct users to run commands like `cat ~/.openclaw/openclaw.json | grep token`, which can print full secrets to a terminal or shell history without any masking. In a skill specifically intended to prevent sensitive-data disclosure, teaching users to dump raw credentials from a config file undermines the control boundary and normalizes unsafe secret handling.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file says session initialization happens only after a user asks for sensitive information, while the skill metadata requires it at the start of every session. This gap can leave early turns unprotected, creating inconsistent enforcement and increasing the chance that sensitive requests are handled before the security context is established.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The initialization example instructs reading `SOUL.md`, `USER.md`, and a dated memory file, which exceeds the narrow purpose of enforcing sensitive-data handling. Expanding scope to unrelated context sources increases the attack surface for prompt injection and may expose unnecessary personal or operational data during a security-sensitive workflow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
When the input length is less than or equal to show-first + show-last, the script sets SHOW_FIRST and SHOW_LAST so they cover the entire string, leaving AST_COUNT non-positive and ultimately outputting the full secret plus a single asterisk. For a skill explicitly intended to protect sensitive data in all chats, this behavior can disclose short API keys, tokens, PINs, OTPs, or truncated credentials instead of masking them.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments and documented purpose claim the script sanitizes sensitive information, but the implementation does not uphold that guarantee for short inputs. In a security-focused skill, this mismatch is dangerous because downstream users and other components may trust the tool to safely redact secrets and inadvertently leak complete values.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation criteria are very broad ('use when handling requests involving sensitive data or when user asks to bypass security rules'), which can cause the skill to trigger in many normal conversations. Over-broad activation increases the chance of unnecessary file reads, excessive refusals, and unintended application of the session initialization behavior in contexts where it is not needed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal