ClawHub

ClawRoam

Security checks across malware telemetry and agentic risk

Overview

ClawRoam is a real vault-sync skill, but it gives remote services and restored vault data too much power over sensitive agent files and host package installs without enough containment.

Review carefully before installing. Use narrowly scoped storage accounts, avoid the hosted dashboard until authentication is stronger, do not sync secrets or credentials, verify SSH host keys manually if using Git/SFTP, keep auto-sync off until exclusions are confirmed, and do not run package restore from a vault you do not fully trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is a limited vault for knowledge, packages, and memory, but the finding indicates materially broader behavior: mirroring the full OpenClaw directory, dashboard file-reading/copy APIs, weak email-plus-vault-ID authentication, and billing logic. If accurate, this substantially expands the attack surface and can expose sensitive files, enable unauthorized access to stored data, and mislead users about what is being synced and remotely accessible.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The dashboard auth endpoint issues a bearer token solely from knowledge of an email and vault_id, with no password, magic-link verification, possession proof, or challenge-response. Because the bearer token is accepted as full vault authorization elsewhere, anyone who can guess or learn those two values can read vault contents, list files, register/revoke keys, and modify stored data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
These endpoints let the server enumerate archive contents and return plaintext file contents, which expands the product from encrypted backup/sync into server-side data inspection. In this skill's identity-vault context, that is especially sensitive because synced data may include credentials, personal knowledge, configs, and secrets; combined with the weak dashboard auth, this becomes direct vault exfiltration.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The copy-file endpoint decrypts/parses archives server-side, modifies their contents, and writes a new version on behalf of the user. That gives the service authority to alter synced data rather than merely store opaque backups, which is dangerous for an identity vault because it enables silent tampering, config/package injection, or persistence if an account is compromised or the endpoint is abused.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The design promises that per-profile sync exclusions are enforced before building the push archive, but the specified failure mode does the opposite: on sync-rule fetch failure, the client uploads everything. That creates a fail-open privacy breach where files the user explicitly intended to exclude can be exfiltrated during routine network/API failures, which is especially dangerous for an identity vault and cross-machine sync product.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The restore flow does more than synchronize data: it offers to install software packages derived from vault-provided requirements after a pull. Because the vault content is externally sourced and may be modified by a compromised provider, account, or shared profile, this creates a supply-chain execution path where migration can lead to code installation on the host.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The script copies restored vault files directly into an OpenClaw workspace after migration, extending its effects beyond the local vault into another active application context. If the vault contains untrusted or malicious prompt/context content, this can silently influence downstream agent behavior or overwrite expected workspace state.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill advertises SOUL.md and IDENTITY.md as local-only and not normally synced, but it provides a command to push them into the shared vault for all instances. Even though it is opt-in, these files are likely sensitive identity/persona data, so the mismatch in expectations increases the risk of accidental disclosure across machines or to a compromised backend.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The provider script goes beyond backup/sync behavior by automatically installing a dependency and, if needed, executing a network-fetched installer script. That creates a software supply-chain risk path inside a routine sync action: compromise of the download source, DNS/TLS interception, or unexpected installer changes could result in arbitrary code execution on the host.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The push path explicitly uses `ssh` and `rsync` with `-o StrictHostKeyChecking=no`, which disables verification of the remote server's SSH host key. That allows a man-in-the-middle or malicious DNS/network intermediary to impersonate the server, capture the vault contents being synced, and serve attacker-controlled data back to the client. In a vault-sync skill handling identity, memory, and packages across machines, this is more dangerous than usual because it directly affects sensitive cross-device state.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The test, pull, and list-profiles operations also disable SSH host authenticity checks, so every network interaction can connect to an untrusted endpoint without detecting impersonation. An attacker on the network path could both exfiltrate sensitive vault data and inject attacker-controlled files during pull, leading to compromise of local identity/memory state and potentially downstream package or configuration abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The provider silently expands its role from syncing files to installing software, including executing a remote installer script. That creates a supply-chain and arbitrary code execution risk, especially because installation may occur during normal provider use rather than an explicitly separate admin step.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The helper forces SSH with `-o StrictHostKeyChecking=no` for all git remote operations, which disables server identity verification and makes man-in-the-middle interception of vault sync traffic feasible. In this skill's context, the repository carries identity, knowledge, and memory data, so a spoofed git server could inject malicious vault contents or exfiltrate sensitive synchronized data.

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The pull flow copies files from the remote repository directly into the local vault, overwriting local state without integrity checks, conflict handling, or user confirmation. Because this skill synchronizes identity and memory artifacts, a compromised or tampered remote can silently replace trusted local content and influence downstream agent behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The provider script goes beyond storage synchronization by automatically installing rclone, including executing a remotely fetched installer script. That expands the trust boundary from local sync logic to arbitrary code execution on the host, which is especially risky in a portability/sync skill that may be invoked routinely.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill description promises encrypted syncing, but this provider only performs rclone sync operations and does not enforce or verify encryption settings in this script. Users could believe their vault is protected while data is merely stored via transport or provider defaults, creating a confidentiality gap for highly sensitive vault contents.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script automatically installs rclone by piping a remote script from rclone.org directly into a shell. This creates a supply-chain and remote-code-execution risk because any compromise of the download path, site, TLS interception, or installer content results in arbitrary code execution on the host, which exceeds the minimum trust needed for a sync provider.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is presented primarily as a package tracker, but it also performs package installation from vault-sourced data via the install command. In this skill context, the vault file is effectively an external input source, so using it to drive package installation expands the trust boundary and can cause users to install unintended software, especially because installs may run with elevated privileges.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comments say the script scans package managers and writes requirements, but the implementation also installs packages from vault data. This mismatch is security-relevant because it can mislead users and reviewers about the script's capabilities, reducing informed consent before executing actions that may alter the system or trigger privileged package installs.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The UI explicitly tells users that only metadata is stored server-side when preview is unavailable due to encryption, yet this code also issues a request to retrieve full file contents from the remote API for preview. In a product marketed as an encrypted identity vault, that contradiction is security-significant because it can mislead users about where sensitive vault contents are accessible and whether the server can read them.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
This is a true security issue because the inline user-facing message asserts a stronger privacy property than the code behavior supports: the application fetches `data.content` from the backend for file preview. For a vault handling identity, knowledge, packages, and memory across machines, deceptive or inaccurate data-handling statements can cause users to expose highly sensitive material under false assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The catch block treats any network/API failure as a successful signup and tells the user they are signed up and will be contacted later. This can mislead users into believing an account or waitlist entry exists when no backend confirmation was received, creating integrity and trust issues and potentially causing users to expose data or rely on a nonexistent service state.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes automatic syncing of highly sensitive agent data such as USER.md, MEMORY.md, projects, and package lists, plus browser-based dashboard access, without prominently warning users that these artifacts may contain secrets, personal data, credentials, or confidential project material. In a skill whose core purpose is cross-device/cloud replication, weak disclosure of privacy risk can lead users to unintentionally expose sensitive information to third-party storage providers or a managed web interface.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad triggers like `sync`, `packages`, `backup`, `restore`, and `cloud` are likely to match ordinary conversation and unintentionally activate a skill that has `exec`, `file`, and `network` capabilities. In this context, accidental activation is more dangerous because the skill is designed to perform file synchronization and remote operations, potentially causing unintended data transmission or state changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Auto-sync enabled by default means local changes may be transmitted to remote storage continuously, yet the skill text does not present a strong activation-time warning or recurring consent boundary. Given the skill handles identity, memory, package state, and optional credentials/config data, insufficient notice can lead to users exposing sensitive information without realizing sync is active.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal