ClawHub

TinkerClaw Shell Security

Security checks across malware telemetry and agentic risk

Overview

The skill is framed as instruction-only, but it also ships scripts that can persistently patch and rebuild an OpenClaw/TinkerClaw runtime without interactive confirmation.

Review this before installing or running any bundled script. The classification guidance itself is safety-oriented, and VirusTotal was clean, but the package includes admin-style scripts that can alter your OpenClaw/TinkerClaw checkout. Only run them after confirming the target path, reviewing the diff, backing up the repo, and accepting that the runtime hook behavior may change until reverted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script performs invasive modification of an external codebase and triggers a rebuild, which exceeds a narrowly described 'classify shell commands' capability and introduces supply-chain and integrity risk. In the context of an agent skill, silently patching another project’s source and build output can alter runtime behavior in ways users may not expect, especially because it inserts a hook that can block or change tool execution globally.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script's behavior is materially outside the declared purpose of a shell-command classification skill: it edits OpenClaw source code, removes a hook, and rebuilds the project. In an agent skill context, that mismatch is dangerous because it can disable security-relevant instrumentation or alter host behavior under the guise of a safety utility, increasing the chance of unauthorized or deceptive system modification.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script performs direct in-place edits to a TypeScript source file and then rebuilds the target project, which grants it code-modification capability unrelated to command classification. In the context of an agent skill, this is particularly risky because it can remove hooks or controls from the agent runtime and persist those changes through a rebuild, enabling security feature bypass or integrity loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script modifies a source file in place with sed -i after only checking for a marker, without interactive confirmation, backup creation, or a dry-run mode. That creates risk of silent destructive changes to local code, especially if OPENCLAW_DIR is misconfigured or the file contents differ from expectations.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script automatically launches a build subprocess after editing files, which can consume resources, execute package lifecycle scripts, and make broader project changes than the user may expect. While rebuilding is a common maintenance step, doing so without explicit advance warning or confirmation increases operational and supply-chain risk in an agent-managed environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal