ClawHub

Sageox Summary

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SageOx summary helper that uses local CLIs, a pinned user-local ox install, and local state to summarize team activity with Claude.

Install only if you are comfortable with a checksum-verified ox binary being installed in your home directory and with selected SageOx distilled team entries being sent through the Claude CLI using your existing credentials. Review the pinned ox version and local state paths if your environment has strict supply-chain or data-handling requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill heavily relies on shell execution (`bash`, `timeout`, `ox`, `jq`, `claude`) yet declares no permissions. That creates a misleading trust boundary: a user or host may believe the skill is data-only or low-risk while it can execute commands, read/write state files, and invoke external CLIs. In agent ecosystems, undeclared execution capability is itself a security issue because it bypasses informed consent and policy gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is summarization, but the instructions also include software installation/update flows, PATH validation, binary integrity/version enforcement, and persistent state mutation. This mismatch is dangerous because users may approve the skill expecting read-only summarization while it can alter the local environment and install binaries, increasing the attack surface and enabling unexpected side effects.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script downloads a remote release archive from GitHub and installs executable binaries into the user's home directory, which is a significant capability expansion beyond a read-only team-summary skill. Although the download is pinned and checksum-verified, the behavior still introduces supply-chain and local code-execution risk that is not justified by the declared skill purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as a summarization tool, but the script performs persistent local system changes by moving binaries into `$HOME/.local/bin` and writing state under `~/.openclaw/memory`. This mismatch between declared purpose and actual behavior is dangerous because users and reviewers may grant trust appropriate for a read-only skill while the code modifies execution environment and establishes durable state.

External Script Fetching

High
Category
Supply Chain
Content
[`references/INSTALL.md`](references/INSTALL.md), follow the install
  flow, then re-run this script to confirm.

There is no per-run auto-update. The curl install pins a specific `ox`
release by tag and sha256; users pick up newer releases by re-running
`clawhub install` for this skill after a new skill version publishes.
The user can say **"reinstall ox"** at any time to re-enter the flow in
Confidence
87% confidence
Finding
curl install pins a specific `ox` release by tag and sha256; users pick up newer releases by re-running `clawhub install` for this skill after a new skill version publishes. The user can say **"reinst

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal