ClawHub

Skill Safe Install

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed installation workflow, but it weakens its own safety review by exempting a hardcoded trusted list and can make persistent trust changes.

Install only if you want an agent to manage OpenClaw skill installation. Require clawhub inspect for every skill, including allowlisted authors, confirm the exact skill slug before any formal install, and approve allowBundled edits only for skills you intend to trust long term.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill declares that Steps 0-5 are mandatory and must not be skipped, but later exempts a hardcoded whitelist of 'trusted' skills from the security review. That creates a policy bypass where high-trust labels suppress inspection, increasing the chance that a compromised, typo-squatted, or incorrectly classified package is installed without scrutiny.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "install skill" is broad enough to match ordinary user requests and could cause this workflow to activate in situations the user did not intend. In an installation-related skill, overbroad triggering is especially risky because it can steer the agent into installation and configuration-changing flows, increasing the chance of unintended package actions or authorization confusion.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to fire on ordinary user requests about installing or checking skills, which can cause this installation workflow to take over unexpectedly. In a security-sensitive skill that performs installation and configuration changes, over-triggering increases the chance of unintended execution paths and user confusion around consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents real installation and configuration-file modification steps, including editing `~/.openclaw/openclaw.json`, without clear warnings about persistent system changes, backup validation, rollback, or possible user-impact. This is dangerous because it normalizes state-changing operations in a workflow that may be auto-triggered, reducing informed consent and increasing the risk of accidental misconfiguration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal