ClawHub

Openclaw With Apple

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malware, but it asks an AI agent for broad Apple/iCloud control, primary Apple credentials, automatic syncing, persistence, and some destructive actions that need careful review.

Install only if you intentionally want a local agent to control broad Apple/iCloud functions. Avoid pasting your main Apple ID password or 2FA codes into chat; prefer app-specific passwords or a local interactive login where possible. Inspect the iPhone Shortcuts before disabling prompts, keep Find My/Drive/delete actions manually confirmed, and know how to remove the launchd job and ~/.pyicloud session files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (69)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes powerful capabilities including environment-variable handling, filesystem access, shell execution, and networked iCloud operations, but does not declare permissions or scope them in the manifest. This creates a transparency and consent gap: users and reviewers cannot accurately understand the real access level before enabling the skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims a narrower purpose around iCloud, Health, and todo sync, but the file documents much broader powers: full iCloud Drive management, photo access, device status/location, Find My actions, calendar modification, and scheduled automation. This mismatch undermines informed consent and can conceal unexpectedly invasive or destructive actions from users.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest description omits major capabilities such as photo access, drive file management, device enumeration, and Find My features. Users expecting calendar/health/task functionality may unknowingly grant access to far broader personal data and remote actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Remote device-control actions such as Find My play sound and lost mode are highly sensitive and not necessary for the stated core workflow of health analysis and task synchronization. These features can affect real user devices and create opportunities for harassment, panic, or unauthorized operational changes if triggered improperly.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documented capabilities materially exceed the stated skill metadata, including notes sync, photo browsing, iCloud Drive access, device location, and calendar operations. Scope mismatch is dangerous because users and host platforms may grant trust or approvals based on an incomplete description, causing unexpected access to far broader personal data and device-control functions than advertised.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The tutorial claims the password is only stored locally and not uploaded, yet instructs the user to send Apple credentials and 2FA codes to the AI assistant. That contradiction is highly dangerous because once secrets are typed into an AI/chat interface, they may be logged, retained by the client or provider, exposed to other tools, or mishandled by the skill runtime.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly asks users to provide their Apple ID primary password in chat for capabilities beyond simple calendar access. This is dangerous because primary credentials and subsequent 2FA codes enable broad account access, and the skill also states sessions will be cached locally, increasing the blast radius if logs, environment variables, or the host are compromised.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest description presents the skill as iCloud, health, and task sync, but the body also documents photo access, iCloud Drive file management, device enumeration, and Find My operations. This mismatch reduces informed consent and can mislead users into granting trust or credentials without understanding the full set of powerful capabilities exposed.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill exposes remote device-control functions like locating devices, playing sounds, and enabling lost mode, which are unrelated to the advertised health-analysis and reminder-sync use case. These actions can materially affect user devices and privacy, so bundling them into an unrelated skill creates unnecessary and unexpected risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The `today` command performs analysis and then unconditionally deletes other `health_*` files in the same directory, which is a destructive side effect far beyond the documented read/analyze behavior. Because these are personal health history files in iCloud Drive, this can cause silent loss of sensitive longitudinal data and may propagate deletion across synced devices.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The cleanup helper deletes every `health_*` file whose name does not contain the current date string, which is broader and less precise than the comment suggests. Substring-based matching is brittle and can remove files the user did not intend to purge, especially if the directory contains similarly named exports, backups, or alternate date formats.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script continuously retrieves iPhone location, infers home/work/commute state, and writes that presence information into a shared calendar. In the context of a skill advertised for iCloud/health/todo access, this materially expands surveillance capability and can expose highly sensitive movement patterns to other calendar viewers or anyone with access to the account.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The `today` command performs destructive behavior by calling `_cleanup_old_health_files`, which deletes historical `health_*` files from the user's iCloud Drive after analysis. This is dangerous because the tool is presented as an analysis/reporting utility, so users may not expect permanent data deletion of sensitive health history, and iCloud-backed deletion can propagate across devices.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The cleanup implementation deletes any file matching `health_*`, while the surrounding comment suggests only old JSON/TXT health exports should be removed. This mismatch increases risk of unintended deletion of other files sharing the prefix, including auxiliary data, backups, or differently formatted exports in the same iCloud directory.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script explicitly promises that cached iCloud session tokens and cookies are stored in a directory with permission 0o700, but it never creates the directory securely or verifies/corrects its permissions. Because these cached artifacts grant long-lived passwordless access to a highly sensitive iCloud account, overly permissive filesystem permissions could allow other local users or processes to read or reuse the session, leading to account compromise without the Apple ID password.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata claims Apple Health deep analysis and bidirectional todo sync, but the code actually provides broad iCloud access including photos, Drive, devices, and Find My. This scope mismatch is dangerous because it can mislead users or downstream agents into granting Apple credentials for a narrower-seeming purpose while enabling access to unrelated and much more sensitive data and actions.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code exposes device lookup, precise location retrieval, sound playback, and lost-mode activation, which are materially more sensitive than the stated health-analysis and todo-sync use case. In an agent setting, this hidden expansion of authority increases the risk of unauthorized surveillance or disruptive device actions under false pretenses.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Remote device control through Find My, including playing sounds and enabling lost mode, is not justified by the advertised health-analysis and todo-sync purpose. This creates a dangerous capability mismatch where a user may authorize credentials for benign-seeming analysis but the tool can instead affect physical devices and reveal sensitive location context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises full iCloud access, device location, photos, drive contents, calendar access, and deep Apple Health analysis, but does not foreground privacy boundaries, data minimization, or user safety warnings. In the context of an AI skill, this is dangerous because users may grant highly sensitive access without understanding the scope of collection, processing, retention, or downstream exposure of their personal and health data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation tells users to provide their Apple ID email and main password via environment variables for AI-assisted login, without a strong warning against sharing primary credentials with an AI-integrated tool. This is highly dangerous because Apple ID credentials can grant access to broad personal data and account functions, and exposing them to an agent environment increases the risk of credential theft, unintended logging, prompt leakage, or reuse by malicious code.

Vague Triggers

High
Confidence
98% confidence
Finding
The skill mandates automatic execution whenever the user mentions ordinary life actions or note-like content, without requiring a clear save command or confirmation. This makes accidental persistence likely and can cause unauthorized storage and downstream syncing of sensitive conversational content.

Vague Triggers

High
Confidence
97% confidence
Finding
The rule 'if this might be useful tomorrow, store it' is so broad that it captures large amounts of normal conversation without meaningful boundary conditions. This creates over-collection of personal data and increases the risk of unintended retention and syncing to external services.

Missing User Warnings

High
Confidence
99% confidence
Finding
The onboarding flow asks users to provide their Apple ID primary password directly in chat and frames this as required for broad account access, but does not foreground safer alternatives or the sensitivity of sharing credentials. Collecting primary credentials through chat is highly dangerous because it enables full account compromise beyond the intended feature scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates automatic storage of user conversation content to reminders/notes without a prominent upfront warning that ongoing capture is happening. Users may disclose sensitive information in ordinary conversation without realizing it will be persisted server-side and later synced to iCloud.

Missing User Warnings

High
Confidence
99% confidence
Finding
The tutorial explicitly tells users to provide their Apple ID email and primary password to the AI, which is unsafe for any consumer account and especially risky for an account tied to photos, files, notes, device location, and personal communications. The skill context makes this more dangerous because it seeks broad iCloud access, so compromise of the provided credentials could expose or alter multiple sensitive Apple services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal