ClawHub

OpenClaw Action Gate

Security checks across malware telemetry and agentic risk

Overview

The plugin is purpose-aligned, but it can send message contents and routing metadata to any configured external service and its install path runs unpinned source-build steps, so it needs review before use.

Install only if you trust the publisher and control the configuration. Prefer embedded local mode unless you operate the remote Action Gate service yourself; if using serviceUrl, require an HTTPS endpoint you trust and understand that message content and routing/session metadata may leave the local runtime. Pin the source revision or install from a reviewed artifact rather than cloning a moving branch for production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill metadata declares no permissions, yet the install and verification instructions clearly rely on network access and environment/runtime capabilities (`git clone`, `pnpm install`, external URLs, shell execution). This mismatch can mislead operators and any permission-gating system into trusting a plugin that actually requires broader capabilities, reducing transparency and weakening deployment controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When pluginConfig.serviceUrl is set, the plugin sends request payloads containing message content, recipient/routing identifiers, scope keys, agent identifiers, and run/session metadata to an external HTTP endpoint via fetch. In a security-gating plugin, this data flow may be expected operationally, but the code performs no validation or restriction on the destination, no transport assurance beyond whatever URL is configured, and no minimization/redaction of sensitive fields, so a misconfigured or untrusted service can exfiltrate sensitive conversation data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal