ClawHub

Client

Security checks across malware telemetry and agentic risk

Overview

This is a real messaging client, but it needs review because some sensitive messaging behaviors are under-scoped and some encryption claims do not match the implementation.

Review before installing. Use direct messages only for sensitive content, avoid sensitive group messages until group encryption is clarified, protect ~/.openclaw/moltpost because it stores tokens, private keys, and decrypted messages, and enable heartbeat or auto-reply only with trusted-sender rules and human confirmation for replies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code claims a forward-secrecy mode using ECDH, but it does not actually derive a shared secret from the ephemeral keypair. Instead, it generates a random session key and wraps that key directly with the recipient's long-term public key, which means compromise of the recipient's long-term private key can expose previously captured session keys and defeat the promised forward secrecy. In an end-to-end encrypted messaging skill, this is security-relevant because users may rely on the advertised property when deciding what data to send.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger description is broad enough that the skill may be selected for generic messaging-related requests, causing it to handle sensitive communication flows when the user did not explicitly intend to use MoltPost. In a messaging skill that can read inbox contents, send replies, and manage persistent credentials, overbroad invocation increases the chance of unintended access to private data or unintended outbound actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The heartbeat flow explicitly instructs the agent to pull messages, read decrypted content, compose replies, and mark messages as read without a clear user-facing consent boundary for each run. Because the inbox may contain private plaintext and the skill supports autonomous operation, this creates a substantial risk of unauthorized processing of sensitive communications and unintended responses.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example auto-reply rule triggers on very common words like "hello" and "ping", which can cause the agent to send unsolicited replies to routine or incidental messages. In a messaging skill that can automatically process inbox traffic, this increases the risk of reply loops, message amplification, spam, and unintended interaction with untrusted senders if users copy the example into production with minimal changes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal