ClawHub

nutcrackertest

Security checks across malware telemetry and agentic risk

Overview

This skill appears local and purpose-aligned for UX research, but it reads and stores sensitive OpenClaw conversation history with limited upfront consent, scoping, and retention controls.

Install only if you intentionally want this skill to analyze your OpenClaw conversation history. Run it manually first, review the generated data and reports before sharing them, treat redaction as best-effort rather than guaranteed, delete stored reports/data when no longer needed, and enable the cron job only if you are comfortable with ongoing local analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script can append to and rewrite a rolling trends file, which is a stateful side effect beyond a narrowly scoped 'generate today's report' function. In a skill described as passively observing usage, this persistence increases privacy and data-retention risk, and can surprise operators who expect read-only/report-only behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to collect, analyze, and store data derived from local session transcripts, but the user-facing description does not prominently warn that private conversation history will be processed and saved. Even with local-only storage and redaction claims, this creates a privacy and consent issue because users may invoke the skill without realizing the extent of retrospective transcript access and persistence.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quote extraction logic copies user message text into the final analysis output, preserving up to 300 characters of verbatim content whenever certain phrases are present. Even if upstream data is described as redacted, this still creates a secondary disclosure surface because sensitive content that survived redaction, was insufficiently redacted, or is inferable from context can be re-exposed in reports without any warning, minimization, or opt-in control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script recursively scans session .jsonl files, extracts full message text and metadata, and prints structured session contents to stdout without any consent gate, redaction, minimization, or warning. In the context of a UX research skill that passively observes OpenClaw usage, this can expose sensitive prompts, assistant responses, tool outputs, timestamps, file paths, and possible secrets from historical conversations to downstream consumers or logs, making the privacy risk materially significant.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal