ClawHub

observerclaude

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a UX research logger, but it continuously records exact user activity and can move reports into Google Docs, Sheets, or email, so it needs careful review before installation.

Install only if you deliberately want continuous UX research logging of your OpenClaw usage. Avoid using it during confidential, personal, legal, medical, financial, or credential-related work unless you are comfortable with exact prompts and survey answers being stored locally. Review and redact reports before any Google Docs, Sheets, Drive, Gmail, or email action, and use the pause/delete controls regularly if you do not want ongoing retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (48)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly instructs file reads and writes across a persistent directory tree under ~/.uxr-observer, but no permissions are declared. That mismatch weakens platform trust controls and can let a seemingly harmless skill silently persist sensitive user data to disk without clear authorization boundaries.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The text promises data is never transmitted without consent, yet the workflow later operationalizes report emailing, which creates a risky consent boundary. If the implementation treats prompts or routine workflow steps as implicit approval, sensitive logs and verbatims could be exfiltrated under a misleading privacy claim.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The workflow conflates collecting recipient addresses with authorization to transmit sensitive research data. Because the report contains detailed behavioral logs and verbatim user content, automatically sending it once an address is provided creates a real risk of unintended disclosure to third parties.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The prompt promises that all data stays local, but elsewhere directs uploading report contents to Google Docs via external tools. That inconsistency can mislead users about where their data is processed and stored, undermining consent and potentially exposing sensitive content to third-party cloud services.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The self-monitoring and gap-detection logic goes beyond passive observation and is designed to maintain persistent operation across sessions. That persistence increases surveillance scope and resilience, making the skill harder for users to meaningfully understand or control if deployed without strong consent and pause defaults.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims automatic PII redaction, but the observer instructions explicitly preserve nearly all user content verbatim and redact only passwords, API keys, and financial secrets. That creates a direct mismatch between user expectations and actual handling, allowing sensitive personal, business, health, or legal information to be persistently stored unredacted.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The report agent can email generated reports to arbitrary user-specified addresses, which expands the skill from passive observation into data exfiltration/distribution. Because the reports are built from accumulated observations and surveys, a mistaken or malicious destination could leak sensitive conversation data outside the system boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Directing the agent to run a local Python script introduces unnecessary code-execution capability for a reporting workflow. If the script or environment is modified, this becomes an execution surface that could run untrusted local code with the agent's permissions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Labeling the observer as 'passive' is misleading because the prompt performs persistent file writes, aggregate mutation, and ongoing monitoring. That mismatch can hide the true operational footprint of the skill and reduce scrutiny over data retention and system modification behaviors.

Vague Triggers

High
Confidence
95% confidence
Finding
The instruction to run on every conversation, continuously, and never forget creates an overbroad trigger surface that captures far more data than necessary. This significantly increases the chance of collecting secrets, regulated data, and unrelated user content without meaningful contextual consent.

Vague Triggers

Medium
Confidence
74% confidence
Finding
Ambiguous report-generation triggers like 'every day at 8:00 AM (or first session after 8AM)' and dynamic windowing can cause reports to run unexpectedly and process more data than the user anticipates. In a privacy-heavy skill, unclear automation boundaries materially raise the risk of surprise disclosure and overcollection.

Missing User Warnings

High
Confidence
93% confidence
Finding
The operational instructions mandate logging every exchange and persisting it to disk, but the main execution flow foregrounds collection before any strong just-in-time warning or opt-in checkpoint. This creates a consent failure where sensitive content may be stored before users understand the scope of monitoring.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is explicitly designed to log everything users do, persist it immediately, and run continuously, yet the framing does not provide a proportionate upfront warning matching the sensitivity and breadth of collection. This creates a meaningful informed-consent failure for a surveillance-heavy capability handling potentially confidential conversations and files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The report-sharing flow encourages external emailing of rich behavioral logs and verbatim quotes without a strong warning about downstream privacy risks, forwarding, or organizational exposure. Even with redaction, these reports may still reveal sensitive work patterns, confidential context, or identifiable narratives.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section mandates maintaining a running frequency table of user interactions in a persistent file, creating durable behavioral telemetry without any clear consent, minimization, or retention limits. In the context of a skill explicitly intended to run on every conversation and persist data immediately, this enables cross-session profiling and privacy harm even if no single entry seems sensitive on its own.

Missing User Warnings

High
Confidence
99% confidence
Finding
The taxonomy requires capturing users' exact words, reactions, emotions, corrections, and commentary, which is highly likely to include sensitive personal, business, credential, or health information copied verbatim from conversations. Because the skill is designed for continuous background observation, this creates a comprehensive surveillance record without user warning at the point of collection.

Vague Triggers

Low
Confidence
95% confidence
Finding
The schema is designed for pervasive behavioral surveillance and its description normalizes logging of user interactions without any clear scoping, minimization, consent boundaries, or exclusions for sensitive content. In the context of this skill, that broad language is more dangerous because the metadata explicitly says to run on every conversation, persist everything to disk immediately, and never forget, creating a high risk of overcollection and retention of sensitive user data.

Natural-Language Policy Violations

Low
Confidence
97% confidence
Finding
Requiring storage of the user's exact words and verbatim quotes materially increases privacy risk because prompts often contain personal data, credentials, business secrets, health/financial information, or other sensitive text. This skill context makes it significantly more dangerous because it mandates continuous observation across all conversations, immediate disk persistence, and downstream report generation, so harmful data capture is not incidental but a core feature.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly directs creation of Google Docs/Drive artifacts containing observed interaction data, but does not require an explicit user-facing consent step or warning that data will be transferred to third-party cloud services. In the context of this skill, which continuously captures all interactions and persists them, exporting reports externally materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to create a hidden spreadsheet for chart generation creates an additional cloud-stored copy of sensitive report data without informing the user. Hidden artifacts are especially risky because users may not realize an extra datastore exists, leading to undisclosed retention, access-control, and discovery exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Google Doc instructions again mandate creating a hidden spreadsheet as part of the reporting workflow, but omit any disclosure about external storage, retention, or duplication of monitored user data. Because the skill aggregates detailed behavioral logs and quotes, silently copying that data into multiple Google artifacts significantly amplifies privacy harm if misconfigured, shared, or breached.

Missing User Warnings

High
Confidence
99% confidence
Finding
The observer logs extensive user content, including verbatim requests and interaction details, to disk without any user-facing warning or consent flow. In a skill configured to run on every conversation and persist immediately, this creates continuous covert retention of potentially sensitive data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The survey agent stores all survey responses as verbatims without warning users that their answers will be retained on disk. Surveys often elicit reflective and sensitive feedback, so silent retention materially increases privacy risk and undermines informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The distiller reads accumulated observations and surveys and prepares them for sharing, including email delivery, without an upfront privacy warning at the point of data use. This compounds the original covert collection by enabling secondary processing and external sharing of retained interaction data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Requiring a post-task survey after every completed task with no exclusions creates an always-on collection mechanism that can repeatedly interrupt users and capture feedback in sensitive contexts where research prompts are inappropriate. In the broader skill context, this is more dangerous because the skill is explicitly designed to run on every conversation and persist data immediately, so the trigger materially increases unauthorized or excessive data collection rather than being a harmless UX suggestion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal