ClawHub

enterprise-security-suite

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because its main confirmation safeguard does not actually wait for approval and activation persistently changes agent memory through shell-driven database writes.

Install only after review. Do not rely on this version to block high-risk actions, because its confirmation function currently auto-approves. Run activate.js only if you intentionally want persistent OpenClaw memory rules added through the local pgmemory Docker/Postgres setup, and plan how to remove those records if you later uninstall the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises behavior that modifies environment variables/API keys and activates itself by writing persistent security rules, yet no explicit permissions are declared. Undeclared sensitive capabilities reduce transparency and bypass informed review, making it easier for a skill to gain trust while still influencing privileged system behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a serious description-behavior mismatch: the skill claims to provide safety features, but the analyzed behavior indicates direct modification of the local PostgreSQL memory store, execution of docker/psql subprocesses, and persistent injection of system-level behavior rules that affect future AI/Gateway decisions. A 'security' skill that covertly alters the agent's long-term decision logic is especially dangerous because users are likely to trust and install it with elevated confidence.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The activation script directly alters the PostgreSQL-backed memory store during install-time, which is a privileged state change outside a simple passive 'security suite' activation. Although the inserted content appears intended to enforce safer behavior, silently modifying a shared agent memory/database can persistently change system behavior without explicit user approval, review, or transaction safety.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script imports and uses child_process.execSync to run Docker and psql commands, giving the skill shell-level capability to alter local system and application state. In a post-install context this is risky because it expands the blast radius beyond the skill's stated purpose and creates opportunities for command execution abuse if the script or inserted data is later modified.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The function presents a high-risk confirmation prompt but never actually waits for or validates user input; it immediately returns true. This creates a fail-open authorization bypass where any caller relying on this module will execute dangerous operations without explicit approval, despite the safety claims in the module description and console output.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The activation script performs database writes immediately as part of activation and only informs the user after the changes have already been attempted. That lack of upfront disclosure and consent is dangerous because installation-time scripts can persist configuration changes invisibly, making review, auditing, and informed approval harder.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal