ClawHub

Skill Priority Setup

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local OpenClaw configuration helper, but parts of its setup messaging overstate what it actually changes.

Use --dry-run first and review the generated policy before relying on it. Do not assume AGENTS.md, SOUL.md, or message-injector configuration were actually changed by this version; verify those files manually after running setup, and avoid --auto on first use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes scanning installed skills and applying configuration, which implies filesystem access, but it does not declare permissions despite detected file read/write capabilities. Undeclared capabilities reduce transparency and informed consent, making it easier for a user or host system to underestimate the scope of local file access and configuration changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose does not fully match the detected behavior: generating DOCX files, creating backups in additional locations, and writing policy/config-related files are materially different actions from merely suggesting tiers. This mismatch is dangerous because users may run the skill expecting analysis only, while it performs broader write operations and misleadingly claims to update some files that are only placeholder actions, undermining auditability and trust.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script advertises that it updates AGENTS.md and message injector configuration, but the referenced functions only print success messages and do not perform the promised changes. This is dangerous because operators may believe security-relevant injection policy has been applied when it has not, creating a false sense of protection and leaving the system misconfigured.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The apply phase invokes methods that imply automatic policy enforcement, but the code only creates a policy markdown file while leaving actual enforcement points unchanged. In a security-sensitive setup workflow, this mismatch can mislead users into trusting nonexistent controls, which can allow unintended skill injection behavior to persist.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill says it will apply configuration and update files like AGENTS.md and SOUL.md, but it does not prominently warn that running setup can modify important local configuration files. In a setup/configuration skill, this context makes the issue more dangerous because users are likely to execute it early in deployment, when unexpected changes to core agent files can affect trust boundaries and future behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
In auto mode, the tool can proceed directly into configuration-writing behavior without an explicit confirmation of which files will be created or changed. For a setup script operating in a hidden home-directory configuration tree, silent writes increase the risk of accidental or unintended persistence.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal