ClawHub

Today Task

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it needs Review because it handles authorization codes, sends task content externally, stores local records by default, and includes under-scoped chat-secret and update-check behavior.

Install only if you are comfortable with task content, metadata, and an authorization code being sent to the configured endpoint. Avoid pasting auth codes into chat; configure them through a secure OpenClaw config path instead. Review or disable local push records/logs if task results may contain sensitive data, and be aware that the skill includes a default-enabled ClawHub update check.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that include file reads/writes, network access, and shell execution, yet no permissions are explicitly declared. This creates a transparency and policy gap: users and the platform cannot accurately assess or constrain what the skill may do before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is a simple task-result pusher, but the documented behavior goes beyond that by reading global config, persisting records and logs, inspecting user chat for auth codes, and invoking shell-based update checks. This mismatch increases the chance of users authorizing behavior they did not reasonably expect, including sensitive secret handling and additional network/subprocess activity.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation contradicts itself on whether detected auth codes are merely surfaced as configuration commands or automatically written into configuration files. Contradictory secret-handling instructions are dangerous because they can lead to accidental secret persistence, inconsistent implementations, and user misunderstanding about where credentials end up.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The document describes an embedded update-checking subsystem that materially expands the skill's scope beyond its stated purpose of pushing task results. In an agent skill, undocumented or weakly justified auxiliary capabilities—especially ones involving version management and network activity—create supply-chain and trust-boundary risk because users may not expect the skill to contact external services or manage updates.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A task-result pusher does not inherently need autonomous network update checks, so this capability is insufficiently justified by the skill's business purpose. In practice, unnecessary outbound network behavior increases the attack surface for metadata leakage, server impersonation, or future malicious update-channel abuse, especially if users treat the skill as a local utility.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This file introduces authorization-code detection and emits a shell-like configuration command containing the supplied secret, even though the skill is described as a task-result pusher. That scope mismatch increases the chance the skill is collecting or handling credentials unexpectedly, and the generated command exposes the full auth code in cleartext where it may be copied into shell history, logs, screenshots, or chat transcripts.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script includes logic to detect an authorization code from arbitrary user input and then persistently update configuration, which exceeds the stated purpose of a task-result pusher. Mixing result delivery with credential-handling increases the attack surface: a caller can cause sensitive auth material to be extracted from text and written to long-lived config, creating opportunities for unintended secret capture, persistence, or privilege confusion.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The fallback configuration path reads the user's global OpenClaw configuration from ~/.openclaw/openclaw.json, giving this skill access to broader local sensitive configuration than its narrow push-only function requires. This creates unnecessary exposure of secrets and configuration metadata, especially because the fallback path is activated when imports fail and may run in less-audited environments.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill writes push response records to local JSON files under a persistent directory, even though its stated purpose is only to push task results. Those records can contain task metadata and the upstream service response, which may include sensitive task content or identifiers, creating unnecessary local data retention and increasing exposure if the host is shared or later compromised.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill's declared purpose is task-result pushing, but this file adds update-check logic that performs external inspection through a registry/CLI call. This expands the skill's trust boundary and creates undisclosed outbound behavior, which is risky because users and reviewers may not expect network- or tool-mediated external communication from this skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Using a subprocess to inspect package or registry state is not justified by the stated role of a result-pushing skill. Even with a fixed command, this introduces unnecessary execution capability and dependency on external tooling, increasing attack surface and creating opportunities for abuse if the environment or PATH is tampered with.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger includes a broad catch-all phrase for 'any scenario' where task results might be pushed, which can cause accidental activation. In this skill context, accidental invocation is more dangerous because activation may initiate network transmission of task content and use stored authorization credentials.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The documented trigger list contains an overly broad fallback scenario without scope constraints. Because this skill can send task content and metadata to a remote endpoint, broad triggering materially raises the risk of unintended data exfiltration through normal conversation flow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The logger persists user-provided task fields such as summary, result, content length, and partial auth data to disk, and may also log full error response details on failure. In a task-result push skill, these values can contain sensitive business data, identifiers, or server-side diagnostic content, creating a confidentiality risk if log files are accessible, retained too long, or collected centrally.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code sends task content and an authorization code to a remote service without an explicit user-facing consent prompt or prominent warning at the time of transmission. In a task-result pusher, network transmission is expected, but sending potentially sensitive content and credentials without clear notice increases the risk of unintended data disclosure.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs the system to detect authorization codes from user chat and persist them into configuration for later use. Extracting secrets from conversational text and storing them automatically is dangerous because chat logs are a less secure channel, users may paste secrets unintentionally, and persistence expands the blast radius if local config is exposed.

Ssd 3

High
Confidence
96% confidence
Finding
The workflow encourages extracting auth codes from chat and generating commands that contain the full secret. This is dangerous because it normalizes sharing secrets in conversation and may expose the token in chat history, terminal history, screenshots, and logs, undermining the skill's own warnings against pasting auth codes in chat.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal