ClawHub

Vibe Coding Cn

Security checks across malware telemetry and agentic risk

Overview

This skill is a project generator, but it has under-scoped file-writing and local-execution behavior that should be reviewed before installation.

Install only in a disposable or well-scoped workspace, review generated diffs before using the output, and avoid running the optional local server or CLI modes unless you understand their local network and filesystem effects. Do not provide sensitive prompts, code, or credentials unless you are comfortable with them being sent to configured LLM providers or recorded in generated logs/metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares only high-level capabilities in metadata, but the documentation clearly instructs use of shell-like execution (`npm install -g .`, `node ...`, `npm start`) and environment-dependent behavior. This mismatch can cause reviewers or policy engines to underestimate what the skill can do, leading to execution in contexts where shell and environment access were not explicitly approved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The advertised purpose is project generation in OpenClaw, but the documentation describes materially broader behavior: version rollback, persistent history, direct external LLM API usage, local server/WebSocket exposure, and installation/publishing workflows. That scope expansion increases attack surface and can surprise users into enabling network, persistence, and local service behaviors they did not consent to.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The checklist asserts strong security properties such as 'no network' and 'no remote code download' as verified facts, yet the broader skill metadata references components like an LLM client and a dependency on ws, creating a plausible contradiction. Misleading security attestations can cause reviewers and users to trust and install a skill under false assumptions, weakening downstream security review and policy enforcement.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The quickstart explicitly documents standalone CLI execution and a separately started monitoring server, which contradicts the stated constraint that the skill must only be used within the OpenClaw environment. This can weaken the intended trust boundary, causing users to run the skill outside the platform controls, logging, permission model, or sandbox assumptions that OpenClaw may provide.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest says the skill must be used in OpenClaw, yet the documentation provides standalone CLI and server modes outside that environment. This is dangerous because users may run it without OpenClaw’s expected isolation, auditing, or permission controls, exposing the host to broader filesystem, network, or process risks.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document states that network access is not required, yet earlier release steps explicitly use ClawHub and GitHub publishing flows that inherently perform network operations. This mismatch can mislead users, reviewers, or policy engines about the skill's actual operational requirements and trust boundary, increasing the chance of unexpected outbound connections during use or release.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document explicitly describes adding a postinstall hook that runs npm install automatically during skill installation. Automatic code execution at install time expands the trust boundary and can execute package lifecycle scripts from this project or its dependencies without an explicit user action or warning, which is a real supply-chain and consent risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented change launches platform shell commands via child_process.exec to open a folder automatically. While intended as a UX improvement, using exec with a path variable introduces unnecessary command-execution surface and can become dangerous if the path is ever influenced by untrusted input or contains shell-special characters.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document's threshold configuration example conflicts with the actual decision logic shown earlier: the implementation passes when yes > no, and the narrative also allows 1 yes / 1 no to pass, but the sample config shows maxNoVotes: 0, which would imply ties or any dissent should fail. In a multi-agent approval workflow, contradictory guidance can cause operators or downstream implementers to enforce the wrong gate, weakening review controls or creating inconsistent approval behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The executor invokes platform-specific OS commands (`open`, `start`, `xdg-open`) on the generated project directory without explicit user consent. Spawning local applications is outside the core need of project generation and can trigger unintended application launches or interact with the host desktop/session in ways the user did not approve.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The executor parses file paths from model-generated markdown and writes them directly to disk under `path.join(this.projectDir, block.path)` with no normalization or boundary check. A malicious or malformed path such as `../../.ssh/authorized_keys` or an absolute path could escape the project directory and overwrite arbitrary files on the host filesystem.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The dashboard directly opens a WebSocket to localhost:8765 and can trigger execution through an HTTP POST to localhost:3000, meaning it can operate independently of the claimed OpenClaw-only environment. That broadens the trust boundary: merely opening the page and clicking execute can interact with local developer services and potentially start code generation or other actions without any environment-level guardrail.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly describes automatic file saving as part of the workflow, but it does not clearly warn users that multiple files will be written to disk. In an agent skill, undisclosed filesystem writes can surprise users, overwrite existing content, or persist sensitive/generated material in unintended locations, especially because the skill appears designed for automated project generation.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The examples show user requirements and generated project paths being printed in logs, but the document does not warn that user-provided content may be echoed to console or logs. This can expose sensitive prompts, project names, or directory structure information in shared terminals, CI logs, or team monitoring systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The report advertises '自动打开文件夹' as a user-experience feature without any caution, consent requirement, or explanation of what will be opened and when. Even in documentation, normalizing automatic system-affecting actions can lead to implementations that trigger local applications or file navigation unexpectedly, reducing user control and increasing the chance of abuse if combined with untrusted paths or generated content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly promotes replacing user approval with automatic agent voting and decision-making ('无需用户等待', '取代用户审批') without discussing limits, confirmations, or rollback controls. In a code-generation skill operating inside OpenClaw, this weakens human oversight over project changes and can enable unintended file modifications, risky code generation, or unsafe workflows to proceed automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly advertises '自动决策,无需用户等待' and 'Agent 投票审批(取代用户审批)', which normalizes replacing explicit user approval with autonomous agent decisions. In an agent skill that can generate or modify projects, this reduces human oversight for consequential actions and can lead to unauthorized changes, risky code generation, or policy bypass if the workflow is trusted as safe by operators.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promises automatic project generation and later says dependencies may be installed automatically, but it does not clearly warn users that invoking the skill can create files/directories and trigger package installation side effects. In an agentic environment, undocumented writes and installs can materially change the host workspace and expand attack surface, especially when generated content is based on natural-language prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes 'Agent 投票审批,无需用户等待' and automatic approval/decision flow, which signals that generated output can be accepted without explicit human review. For a code-generation skill, bypassing user approval increases the chance that unsafe, incorrect, or policy-violating code is written or propagated before a human inspects it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly advertises that agent voting replaces user approval and makes decisions automatically ('自动决策,无需用户等待'). In a skill that generates complete projects and operates in an agentic environment, removing user confirmation can allow impactful actions to proceed without informed consent, increasing the chance of unintended file changes, publishing, or other side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states it will generate project files under an output directory, which implies filesystem writes but does not warn the user about file creation, modification scope, overwrite behavior, or resource usage. In an agentic environment that can act automatically, missing disclosure reduces informed consent and can lead to unexpected local changes or clutter, especially if project names or paths are derived from prompts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The FAQ says the generated output directory will 'automatically open' after completion without describing this as a side effect or requiring user approval. Auto-opening files or folders can trigger unexpected local actions, leak project names on shared systems, and normalize agent behavior that launches local resources without consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly proposes '匿名收集使用数据' as a feedback channel but provides no notice about what data is collected, how consent is obtained, retention limits, or how users can opt out. In the context of an agent skill that may process project contents and user prompts, even 'anonymous' analytics can create privacy and compliance risk if implemented without clear disclosure and minimization.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plan includes one-click deployment, automatic GitHub repository creation, domain configuration, and HTTPS setup without any warning about account access, billing, DNS changes, or irreversible side effects. In an automation skill, these are security-sensitive operations that could modify external services and infrastructure if triggered without explicit authorization and scoped credentials.

Missing User Warnings

High
Confidence
94% confidence
Finding
The document promotes automatic decision-making and replacing user approval without warning that the skill may act on the workspace autonomously. In the context of an agentic coding skill with workspace write access, removing explicit approval checkpoints increases the risk of unintended file modifications, destructive changes, or propagation of unsafe code without informed user consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal