ClawHub

ClawRoam

Security checks across malware telemetry and agentic risk

Overview

ClawRoam appears to be a real sync tool, but it needs Review because it can sync and overwrite sensitive agent data while using unsafe dependency installation, SSH, package-install, and cloud-dashboard authentication patterns.

Install only if you are comfortable syncing sensitive agent memory, project context, package inventories, and possibly broader OpenClaw workspace files to your chosen provider. Review ~/.clawroam and the configured OpenClaw directory before enabling auto-sync, manually install rclone instead of letting provider scripts fetch installers, avoid Git/FTP providers unless host-key verification is fixed, and avoid the cloud dashboard until authentication is strengthened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (45)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The manifest exposes powerful capabilities via declared tools (`exec`, `file`) and the skill content directs shell execution, network-backed provider setup, key management, and filesystem operations, but there is no explicit permissions model or user-consent boundary described in the metadata. That mismatch increases the chance the agent performs sensitive local or remote actions without the platform surfacing the true risk to the user.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose frames the skill as syncing knowledge, packages, and memory, but the described behavior expands into full environment mirroring, restore/rollback, cloud account and billing flows, profile browsing/copying, and cryptographic key lifecycle management. This is dangerous because users may consent to a narrow backup feature while the skill actually handles much broader and more sensitive data and operations than advertised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The dashboard authentication endpoint issues a bearer token solely by matching a submitted email and vault_id against the database, with no password, possession proof of a registered key, email verification, or external identity check. Because that JWT is accepted by the shared auth() path as full dashboard access for read/write operations, anyone who can guess or learn a victim's vault_id and email can obtain valid access to vault contents and management APIs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The pull flow restores and overwrites local OpenClaw and vault content from remote data, including config files and project directories, without strong scope restriction or integrity verification of individual restored files. In a cloud-sync skill, this creates a real risk of remote state unexpectedly replacing local state, and if the remote account or service is compromised it can propagate malicious or destructive content into the local environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The provider auto-installs rclone by fetching and executing a remote installer script, including a privileged path on Linux. A sync provider does not need to perform unattended software installation to fulfill its core purpose, and this creates a supply-chain and remote-code-execution risk if the fetched script or delivery path is compromised.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The provider script goes beyond storage sync by automatically installing a dependency and, on fallback paths, executing a network-fetched installer script. That behavior expands the trust boundary substantially: compromise of the download source, transport, or install script would lead to arbitrary code execution on the local machine, and on Linux it may run with elevated privileges.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The helper forces SSH with `-o StrictHostKeyChecking=no`, which disables host authenticity verification for all Git operations. That allows a man-in-the-middle or DNS/route hijack to impersonate the remote repository and receive or supply vault contents, which is especially dangerous here because the vault contains identity, memory, and package data.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header markets the provider as secure and encrypted with an Ed25519 key, but the implementation disables SSH host verification. This mismatch can mislead users into trusting the sync channel more than they should, increasing the chance they expose sensitive vault contents to an impersonated remote.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The provider auto-installs rclone and, on fallback paths, executes a remotely fetched installer script. A storage-sync helper should not silently expand its scope into package installation and code execution, because this creates a supply-chain and arbitrary code execution risk on the host. In this context the danger is higher because the function is reached by normal provider operations like push/pull/test, so users may trigger it unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script copies the entire configured OpenClaw workspace into the vault with rsync, excluding only a few common paths. In a skill marketed as a portable identity vault for syncing knowledge, packages, and memory, this broader behavior can silently collect unrelated source code, secrets, configs, tokens, and other sensitive workspace data, then commit and push them to external storage providers.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The pull path writes the vault's mirrored OpenClaw copy back into the live OpenClaw directory, effectively allowing remote vault contents to overwrite or modify the local workspace. Because the vault is populated from provider-backed data and auto-sync behavior is emphasized, this creates a risky bidirectional channel that can propagate unintended, stale, or malicious files into an active working environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's advertised role is package tracking/sync, but `cmd_install` goes beyond inventory and performs software installation on the host. In a vault-sync context, this means package data pulled from external storage can directly drive system changes, increasing the risk of unintended or unreviewed package installation.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script constructs shell command strings from package names in `VAULT_REQ` and executes them with `eval`. Because the vault file is synced from external storage and parsed with minimal validation, a malicious package name containing shell metacharacters or command substitution could trigger arbitrary command execution when the user approves the install.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The catch block treats any network or backend failure as a successful signup and tells the user their account is ready, then displays setup steps. This is a deceptive success state that can mislead users into believing a cloud account or vault exists when it does not, causing confusion, failed onboarding, and unsafe assumptions about backup or sync availability.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes syncing shared knowledge, memory, projects, and package lists across machines and remote providers, but it does not prominently warn users that potentially sensitive local agent data will be transmitted to third-party storage. In a skill whose core purpose is silent background synchronization, weak disclosure increases the risk of unintentional exfiltration of personal, project, or environment metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-start flow instructs users to run provider setup and immediately start auto-sync, but does not clearly warn that future file changes are auto-detected, committed, and pushed to remote storage. Because the product is designed to be 'automatic' and 'invisible,' this omission materially raises the chance that users enable continuous outbound syncing without understanding the privacy and data persistence consequences.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Triggers such as `sync`, `packages`, `backup`, `restore`, and `cloud` are broad everyday terms that can cause the skill to activate in unrelated conversations. Because this skill can run shell commands and initiate data transfer, accidental invocation materially increases the risk of unintended disclosure or modification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises automatic continuous syncing of user knowledge and environment while minimizing the fact that files may be transmitted to third-party storage or cloud services. In a security-sensitive context, presenting the feature as invisible and automatic without an upfront transmission warning undermines informed consent and can expose sensitive data unexpectedly.

Missing User Warnings

High
Confidence
98% confidence
Finding
This is not just a UX warning issue; the endpoint effectively grants account access without authentication, then silently upgrades that access into a JWT usable across sensitive vault APIs. In the context of a cloud identity vault that stores synchronized knowledge, packages, memory, and files, this can directly expose confidential data and enable unauthorized modification, key registration, file copying, and other persistent account takeover actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The design explicitly fails open: if fetching sync rules fails, the client proceeds to upload all files. In a file-sync/privacy feature, this can directly defeat user intent and cause unintended disclosure of excluded sensitive files during transient network, server, or auth failures.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The plan instructs the operator to request a real JWT for a live vault using a real email and production endpoint, but provides no warning about handling production credentials or data. This increases the chance of accidental token exposure in shell history, logs, screenshots, or shared terminals and normalizes testing directly against live user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plan tells users to modify sync exclusions on a real vault and uses example paths such as private notes and secrets files, which changes live server-side sync behavior for actual data. An operator following these steps could unintentionally stop sensitive files from being backed up or create inconsistent state across devices without understanding the consequence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These steps perform deployment, rsync to a remote machine, SSH execution, Git push, and marketplace publication with no explicit caution that they modify remote systems and publish externally. This creates operational risk because a user may execute irreversible production and distribution actions while treating the document as a harmless implementation note.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The pull operation copies remote files into local config and project paths without user confirmation, dry-run output, or conflict handling. This can silently overwrite local state and is especially dangerous in a sync tool because users may not expect a restore action to modify broader local workspace content beyond the vault staging area.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script executes a remote installer via curl-to-shell without an explicit confirmation at the point of execution. This is dangerous because users invoking a Dropbox sync command may not expect arbitrary downloaded code to run locally, and compromise of the remote script or transport would directly execute attacker-controlled commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal