ClawHub

Jarvis - Chief of AI Staff on NVIDIA GB10

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local executive-assistant setup, but it understates network, credential, persistence, and memory-retention behavior enough that users should review it carefully before installing.

Install only after editing the templates so the agent serves your organization, keeping heartbeat disabled until tested, avoiding ~/.bashrc for API keys, and treating the OpenClaw workspace memory as sensitive data. Review the security claims manually, bind services to local or VPN-only interfaces, use dedicated low-privilege accounts for email/calendar/search integrations, and prune or approve memory writes before using it with personal, client, or business-confidential information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill embeds numerous shell commands and operational steps but declares no permissions/capabilities for shell execution. This creates a trust and review gap: consumers and tooling may underestimate what the skill instructs operators to run, including privileged and network-affecting commands.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill’s 'Security Model' section makes factual safety claims that are contradicted elsewhere in the document, including instructions to store a Brave API key and use external services. Misleading security assertions can cause operators to trust the skill more than warranted and overlook real risks during deployment and review.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document claims there are no network calls to external endpoints, but it explicitly references external services and web-enabled components such as Brave Search and containerized search tooling. This discrepancy is dangerous because it undermines informed consent and may bypass expected review controls for network-enabled skills.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims it contains no background processes or daemons, yet it instructs users to deploy persistent services and restart managed components. False assurances around persistence are risky because operators may fail to assess long-running attack surface, exposed ports, and service hardening requirements.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script claims that all changes are reversible, but it directly changes filesystem permissions on the workspace and markdown files without recording prior state or providing any rollback mechanism. This is a documentation-to-behavior mismatch that can cause availability or operability issues if previous permissions were intentionally broader or needed by other local processes.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security section claims the skill contains no external network calls, no credential requests, and no background processes, but earlier instructions pull models, run Docker containers, use external services, and ask for an API key. This misleading assurance can cause users or automated reviewers to trust the skill more than warranted and deploy it without appropriate scrutiny.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document asserts zero data egress and no cloud dependency, yet it also recommends web search, Tailscale remote access, Brave Search, and Google Workspace integration. Such contradictory claims can mislead users in regulated or sensitive environments into assuming the deployment is fully local when optional features introduce external communications.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header makes strong safety claims that do not match the script's real behavior: it changes workspace permissions and only prints guidance for OpenClaw config and firewall changes rather than performing them. Misleading security declarations can cause operators to trust and run a script under false assumptions, reducing informed consent and increasing the chance of unintended system changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to export a Brave API key and append it to ~/.bashrc without warning about secret exposure, shell history leakage, multi-user access, or safer secret storage options. Persisting secrets in plaintext shell startup files increases the chance of credential disclosure through backups, dotfile sync, or local compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to persist new facts, preferences, relationships, and decisions into memory files immediately, but it provides no requirement to obtain informed user consent, provide notice, or minimize sensitive data collection. In a personal executive-assistant context, this creates a real privacy and data-governance risk because conversational content may include personal, business, or confidential information that gets stored durably without the user's awareness each time.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The instruction to run every 30 minutes creates an always-on autonomous behavior without defining who authorizes execution, what environment it may access, or what safeguards limit actions. In a skill designed for business operations and infrastructure monitoring, this broad trigger can lead to unintended monitoring, repeated command execution, or alerting behavior outside user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to flush conversation context to a daily memory file and to summarize/promote entries into a persistent MEMORY.md file, but it provides no user notice, approval step, or retention boundary. This can cause sensitive operational or personal information to be stored, transformed, and persisted silently, increasing privacy, confidentiality, and integrity risks if the memory is later reused or exposed.

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
```bash
# Set your Brave API key
export BRAVE_API_KEY="BSA-your-key-here"
echo 'export BRAVE_API_KEY="BSA-your-key-here"' >> ~/.bashrc

# Configure in OpenClaw
openclaw configure --section web
Confidence
93% confidence
Finding
echo 'export BRAVE_API_KEY="BSA-your-key-here"' >> ~/.bashrc

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal