ClawHub

Requirement Checker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real requirements-document checker, but it automatically handles API keys, uploads document contents to configured LLM endpoints, persists secrets locally, and modifies the Python environment during install.

Install only if you are comfortable with requirement documents being sent to your configured LLM provider and with API keys being read from environment/OpenClaw config and potentially saved in the skill's config.json. Review the configured base URL carefully, avoid using broad or production API keys, check file permissions on config.json and generated reports, and consider installing Python dependencies manually in a virtual environment instead of relying on the postinstall hook.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (17)

Tainted flow: 'config' from input (line 283, user input) → requests.post (network output)

Medium
Category
Data Flow
Content
bool: True 表示配置可用,False 表示不可用
    """
    try:
        response = requests.post(
            f"{config['base_url']}/chat/completions",
            headers={
                "Authorization": f"Bearer {config['api_key']}",
Confidence
95% confidence
Finding
response = requests.post( f"{config['base_url']}/chat/completions", headers={ "Authorization": f"Bearer {config['api_key']}", "Content-T

Tainted flow: 'config' from input (line 283, user input) → requests.post (network output)

Medium
Category
Data Flow
Content
print(f"  🔄 第 {attempt} 次重试...")

            # 调用 LLM API
            response = requests.post(
                f"{config['base_url']}/chat/completions",
                headers={
                    "Authorization": f"Bearer {config['api_key']}",
Confidence
97% confidence
Finding
response = requests.post( f"{config['base_url']}/chat/completions", headers={ "Authorization": f"Bearer {config['api_key']}",

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill reads API credentials from broad ambient sources like environment variables and unrelated external config stores, exceeding the minimum access needed for a requirement-checking tool. This increases the blast radius of compromise and can unintentionally use or expose credentials the user did not intend this skill to access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Scanning ~/.openclaw/openclaw.json for all providers and auto-selecting one gives this skill access to unrelated credentials and service endpoints without a clear need or explicit authorization. In context, this is more dangerous because the selected provider's key may then be persisted locally and used to transmit document contents externally.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The parser is designed to search beyond the user-supplied path by scanning common directories such as the user's Downloads folder and current working directory. In an agent context, this broadens file access from explicit user intent to opportunistic local discovery, which can expose unrelated sensitive documents and violates least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
When the requested path does not exist, the code silently substitutes another file found by fuzzy matching, without explicit confirmation. This can cause the agent to ingest the wrong local file, potentially leaking sensitive content or producing analysis based on unintended documents, which is especially risky in automated workflows.

Missing User Warnings

High
Confidence
94% confidence
Finding
The README explicitly describes automatic scanning of environment variables and OpenClaw configuration, then saving selected configuration to a local config.json. That creates credential-handling risk because secrets may be discovered and persisted locally without a clear warning, consent flow, storage protections, or guidance on file permissions and redaction.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrase '请检查需求文档' is generic and likely to appear in ordinary conversation, increasing the chance that the skill is invoked unintentionally. Because the skill can read directories, scan configuration, call external APIs, and write files, accidental activation could cause unintended processing of sensitive documents and side effects on the local system.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that reports are automatically generated and saved to a local directory, but it does not clearly warn users up front that invoking the skill will create files on disk. This can expose sensitive requirement content through residual artifacts, overwrite expectations about local state, and surprise users in environments where document handling must be tightly controlled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The automatic API configuration detection explicitly includes reading local config, environment variables, and scanning OpenClaw provider settings, but the skill does not clearly warn users that credentials or provider metadata may be accessed. In a skill that also performs network requests, this increases the risk of unintended credential exposure, misuse of privileged API keys, and silent use of accounts the user did not intend to authorize.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends full requirement-document content to an LLM via check_with_llm(content, str(file_path)) without any inline warning, consent flow, or per-run confirmation. Requirement documents often contain confidential business logic, customer data, or internal project details, so silent transmission to an external model endpoint creates a real data-exposure risk, especially because the configured base_url may point to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The batch GWT generation path sends document content to an LLM using call_llm_for_gwt(content, filename) after processing all files, again without explicit warning or confirmation at the point of use. This is dangerous because users may believe they are only generating local reports, while the tool may transmit entire documents—including sensitive requirements or regulated data—to a remote service a second time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically persisting discovered API keys into a local config.json without explicit warning or consent creates a secret-handling weakness: credentials are duplicated into another file, potentially with weaker protections and broader accidental exposure. This is especially risky here because the automatic flow saves secrets sourced from ambient environment variables, not just user-entered values.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill copies API keys from OpenClaw provider configuration into its own local config.json without clear disclosure, multiplying secret copies and weakening provenance control. That duplication increases the chance of credential leakage through local file access, backups, repo mistakes, or later misuse by this or other tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The postinstall script automatically invokes pip to install Python packages during package installation, with no explicit user confirmation before modifying the local or system Python environment. This is risky because postinstall hooks execute implicitly in many package managers, and the use of '--break-system-packages' can alter externally managed Python installations, causing environment corruption or unexpected side effects.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Python >= 3.7 required

# HTTP 请求库(必需)
requests>=2.28.0
Confidence
94% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal