ClawHub

ClawRank

Security checks across malware telemetry and agentic risk

Overview

The skill is a real ClawRank uploader, but it automatically handles sensitive GitHub and local usage data in ways users may not clearly expect.

Review before installing or running. Use --dry-run first, set a ClawRank token manually if possible, and avoid auto-setup unless you are comfortable sending your GitHub CLI token to ClawRank. Expect local OpenClaw usage summaries and, when gh is authenticated, GitHub activity metrics from recent accessible repositories to be uploaded; only use --recurring if you want ongoing daily submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exercises sensitive capabilities including shell, file read/write, environment access, and network access, but does not declare permissions or present clear up-front consent boundaries. This increases the risk that an agent or user will invoke the skill without understanding that it can read local transcripts, write tokens to disk, contact external services, and configure recurring jobs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose centers on reporting local OpenClaw token usage, but the documented behavior goes beyond that by collecting GitHub development metrics across repositories, exchanging GitHub-derived auth for a third-party token, inferring owner identity, and persisting credentials locally. That mismatch undermines informed consent and can cause users to disclose substantially more personal and repository activity data than they expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest says the skill reports local OpenClaw token usage, but the body states it also gathers GitHub activity metrics across repos and submits them when available. Even if this is intended product behavior, failing to disclose the expanded data collection in the manifest is a privacy and transparency defect that can mislead users and calling agents.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it reports local OpenClaw token usage, but the code also discovers GitHub identity and submits commit and PR metrics. This scope expansion is dangerous because users may authorize or run the skill expecting narrow telemetry while it collects and transmits additional account-linked activity data.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The setup flow silently obtains a GitHub auth token from `gh`, sends it to the ClawRank service, and writes a returned API token into persistent OpenClaw configuration. This is dangerous because it performs credential exchange and persistence beyond the advertised behavior, creating account-linkage and long-term authorization risk without clear upfront disclosure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script uses broad GitHub API access to enumerate accessible repositories and gather commit and PR statistics, which exceeds the core task of uploading local usage stats. In skill context this is more dangerous because the advertised function sounds narrow, yet the implementation reaches into external account activity across potentially many repositories.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script can register a recurring OpenClaw cron job, creating persistence and ongoing exfiltration behavior beyond a one-time stats upload. This is risky because modifying the scheduler changes the user's environment and can cause continued background submission of local and GitHub-derived telemetry.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes scanning local agent transcripts and optionally collecting GitHub activity, then uploading results to an external service, but it does not present a prominent privacy warning or explicit consent checkpoint before doing so. Because session transcripts and repository activity can reveal sensitive usage patterns, project involvement, or identity information, the omission creates meaningful privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Auto-setup writes a live API token into the user's persistent OpenClaw config without a confirmation step or least-privilege storage controls. That can surprise users, enlarge the blast radius of local compromise, and leave long-lived credentials in a predictable file path.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup flow extracts the user's GitHub authentication token and sends it to the ClawRank service without an explicit just-in-time warning or consent gate. Transmitting a GitHub token is highly sensitive because it may grant broad repository and account access depending on how `gh` is authenticated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal