ClawHub

Model Usage Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a local usage monitor, but it under-discloses persistent scheduled execution and local agent session-file access.

Install only after reviewing whether you want this skill to read OpenClaw logs and local agent session files, copy code into ~/.openclaw/workspace/.lib, and create an hourly OpenClaw cron job. Prefer a manual or copy-only install unless you explicitly want persistent monitoring, and confirm how to list and remove the cron job later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--description", "每小时检查模型使用告警"
    ]
    
    result = subprocess.run(cmd, capture_output=True, text=True)
    
    if result.returncode == 0:
        print("✅ Cron Job 已创建: 每小时自动检查")
Confidence
89% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def test_monitor():
    """测试监控脚本"""
    script = os.path.join(LIB_DIR, "model_usage_monitor_v2.py")
    result = subprocess.run(
        ["python3", script, "--alert-check"],
        capture_output=True,
        text=True
Confidence
83% confidence
Finding
result = subprocess.run( ["python3", script, "--alert-check"], capture_output=True, text=True )

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation makes strong 'read-only' and 'zero side effects' claims, yet it also states that installation automatically creates a Cron job. Creating persistent scheduled tasks changes system state and can continue running without ongoing user awareness, so the behavior materially contradicts the declared safety model. In a security review, misleading or incomplete disclosure about persistence is dangerous because users may grant trust or install the skill under false assumptions.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The setup docstring describes the script as only performing installation and configuration, but the code also creates a persistent scheduled monitoring job and executes the monitor script. This mismatch is security-relevant because it conceals behavior that changes system state and may affect user trust and consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation section discloses automatic Cron job creation but does not adequately warn that this creates persistent background execution. Persistent scheduling increases attack surface and operational risk because the skill will continue to run regularly, potentially processing sensitive logs or generating notifications long after the initial install, and users may not realize they have installed a resident task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal