ClawHub

项目开发助理

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local project logging assistant, but some helper commands scan broad local locations and one statistics command can silently delete saved briefing files.

Install only if you want persistent local project memory. Use explicit project paths, avoid storing secrets in logs or session archives, and avoid global briefing, monitor, purge-test, and admin stats commands unless you accept broad local project scanning and possible deletion of old briefing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to read and write project files, create directories, and persist state, but it declares no permissions or equivalent disclosure. That gap can cause users or the platform to underestimate the skill's capabilities, increasing the risk of unintended filesystem access or modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose says the skill should only operate for explicit project logging/tracking, but the described behavior extends to broad project discovery, multi-project briefing generation, monitoring, synchronization, and deletion/purging behavior. That mismatch is dangerous because it enables wider-than-expected filesystem enumeration and modification, potentially affecting unrelated projects and exposing sensitive metadata.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill goes beyond logging and issue tracking by directing session archival, context persistence, and new-session recovery workflows. This increases data-retention and privacy risk because conversation content and user-provided material may be stored and reused across sessions without clear minimization or consent boundaries.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims it activates only on explicit user requests, but later instructs proactive archival when internal conditions are detected. That creates an authority expansion where the agent may begin persisting or restructuring user data without a direct trigger, undermining user expectations and consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented workflow expands the skill from structured project logging into active web research and saving downloaded materials to the filesystem. That broadens the skill's operational scope beyond its stated purpose, increasing the chance of unreviewed network access, unsafe file writes, and user surprise about what the agent may do.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script performs broad filesystem discovery across the user's workspace and drive roots (C: and D:) rather than operating only on an explicitly selected project. In a skill advertised as user-triggered project logging/issue tracking, this expands access scope unnecessarily, exposing project names and paths from unrelated directories and increasing privacy and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code deletes briefing JSON files as part of housekeeping, which exceeds the expected scope of simple logging and issue tracking. Destructive behavior against stored project metadata can cause data loss, especially because filenames are matched by substring and there is no confirmation, backup, or dry-run.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The stats command silently deletes briefing files older than 3 days while presenting itself as a reporting function. Hidden destructive side effects violate user expectations and can lead to accidental loss of project context simply from requesting statistics.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The top-level usage text documents 'stats' as a statistics operation, but the implementation also removes expired briefing files. This mismatch is dangerous because users cannot give informed consent to destructive behavior they are not told about.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code enumerates projects by scanning a user workspace plus multiple drive roots and any directory containing a logs subdirectory, which exceeds the narrowly scoped behavior described for an explicitly triggered project logging assistant. Even though it does not exfiltrate data, this broad filesystem discovery reveals local project names and paths and increases privacy exposure and unintended access to unrelated user projects.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script probes multiple local drives (E:, D:, F:) and iterates their top-level directories looking for projects, a capability not necessary for generating a briefing for a user-specified project. In the context of an assistant that should trigger only on explicit project actions, this broad host enumeration makes the skill more dangerous because it can inventory unrelated local work without a precise user request.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script enumerates projects from broad local filesystem locations, including ~/.openclaw/workspace and fixed drive roots like E:/Projects, D:/Projects, and F:/Projects, rather than being scoped to an explicitly selected project. In the context of a trigger-limited project assistant, this expands access beyond the minimum necessary and can expose metadata about unrelated local projects, creating an unnecessary privacy and data-minimization risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill repeatedly emphasizes silent writes, silent project creation, and quiet state updates while minimizing chat output. Silent modification is risky because it can hide impactful filesystem changes from the user, making accidental overwrites, persistence of sensitive data, or unauthorized project alterations harder to notice.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The continue-project trigger includes broad phrases like "继续" and "接着上次," which can appear in normal conversation and may unintentionally activate project-reading actions. In this skill, accidental activation is more concerning because the prescribed workflow immediately reads project structure, logs, and progress, which can expose local context the user did not mean to access.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The daily logging trigger says to act during "any important moment" in development, which is too subjective and lacks a clear user-activation boundary. An agent following this guidance could over-log conversational content or write to disk without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to search online, assess materials, and save them into project directories without any safeguards around privacy, source trust, or filesystem effects. This can lead to downloading untrusted content, storing inappropriate files, or leaking sensitive project interests through network activity without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The purge-test path deletes briefing files without an explicit warning, confirmation, or preview of affected files. Even if intended for test artifacts, substring-based matching can remove unexpectedly named files and creates avoidable data-destruction risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically deleting briefings older than 3 days during a stats operation is undisclosed destructive behavior. Users invoking a read-only sounding command may unknowingly lose data needed to resume or audit project work.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to archive prior conversation material into session files and later reload it in new sessions. Persisting conversational content across sessions can capture sensitive user data, credentials, proprietary project details, or prior instructions into files that may outlive the original context and be exposed to other tools or users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal