ClawHub

idea-inbox

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it stores prefixed private-message ideas in Feishu/Lark Bitable and classifies them with the user's configured model provider, with meaningful privacy considerations but no artifact-backed malicious behavior.

Install only if you are comfortable with prefixed DM idea text being stored in Feishu/Lark Bitable and sent to your configured model provider. Avoid sending secrets, regulated data, or confidential business plans unless that provider and Feishu workspace are approved for that data; delete `~/.openclaw/idea-inbox/config.json` and the created Bitable if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'CONFIG_PATH' from os.environ.get (line 10, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
def save_config(cfg: dict[str, Any]) -> None:
    CONFIG_PATH.parent.mkdir(parents=True, exist_ok=True)
    CONFIG_PATH.write_text(json.dumps(cfg, ensure_ascii=False, indent=2), encoding="utf-8")
Confidence
92% confidence
Finding
CONFIG_PATH.write_text(json.dumps(cfg, ensure_ascii=False, indent=2), encoding="utf-8")

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that imply local file reads/writes, network access, and likely scheduled/background behavior, yet it declares no explicit permissions. This creates a transparency and consent gap: users may not realize the skill stores config under ~/.openclaw, reads model credentials from ~/.codex, and sends message content to external Feishu/LLM services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that the skill will automatically create a remote Feishu/Lark Bitable app on first run and persist configuration under the user's home directory, but it does not mention any explicit confirmation, preview, or consent step. In an agent/skill context, silent external resource creation and local state writes can surprise users, create unintended data exposure or clutter, and normalize side effects that should require clear authorization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill writes configuration data locally and transmits user message content to external services for storage and AI processing, but the description does not present this as an explicit warning or consent point. This can expose sensitive ideas, business information, or personal data without sufficiently informed user approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads arbitrary stdin text and sends it to a configured remote LLM provider over HTTP API calls, but the code contains no disclosure, consent, or data classification gate before transmission. In this skill's context, the input may contain private notes or business ideas, so silent exfiltration to a third-party model service creates a real confidentiality risk even if it is part of the intended feature.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal