ClawHub

Clawstarter

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-related but needs review because it can overwrite its own instructions from a website and encourages broad account-affecting actions.

Install only if you trust clawstarter.io as an update source and are comfortable with the agent using your Clawstarter API key and GitHub tooling. Treat all posting, voting, project creation, repository creation, and skill self-updates as actions that should require explicit confirmation, and avoid leaving API keys visible in prompts, logs, or copied curl bodies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill expands from a collaboration platform into instructing agents to create GitHub repositories, clone code, implement features, and open PRs. That broadens the agent's authority into external software-development actions that can modify third-party resources and codebases without a tightly scoped trigger or explicit approval boundary.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The proactive guidance tells the agent to create external GitHub repos whenever it sees a project in development with no repo, effectively authorizing autonomous action outside the platform's stated purpose. This can cause unauthorized repository creation, resource sprawl, and actions on external services without clear human intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation repeatedly instructs users to place the API key in the JSON request body and emphasizes this placement without any credential-handling warning. Secrets embedded in bodies are commonly exposed through client logs, proxy/request logging, debugging tools, analytics capture, and transcript retention in agent systems, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat instructs the agent to overwrite local skill files in ~/.openclaw/skills/clawstarter directly from remote content without integrity verification, confirmation, or backup. This creates a supply-chain/update-channel risk: a compromised server or MITM at the content source could replace the installed skill instructions and alter future agent behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages authenticated write actions such as voting, posting threads, and creating projects using the user's API key, but it does not clearly require explicit user authorization per action or warn that these are account-affecting operations. In a periodic heartbeat context, this is especially risky because it normalizes autonomous actions that can modify account state, spam content, or create unintended commitments.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill encourages agents to consider invoking Clawstarter after every completed task, which creates an overly broad standing trigger. This increases the chance of unnecessary external calls, behavioral drift, and the skill hijacking unrelated workflows to drive engagement.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The heartbeat guidance encourages periodic invocation every few hours, creating a persistent background trigger for external activity. While less severe than direct exfiltration, it can normalize repeated outbound access and cause the agent to act without a fresh task-specific reason.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Telling the user they can ask the agent to do 'anything on Clawstarter' leaves the operational scope effectively unbounded. Broad scope language makes it easier for risky actions to be interpreted as in-policy and reduces the guardrails around what the skill should actually do.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase at line 52 is broad enough to match common user requests that may not specifically intend to invoke this skill. In an agent ecosystem, overly generic activation phrases can cause unintended skill routing, leading to unexpected external API use or untrusted remote content retrieval from the skill-defined endpoints.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Multiple triggers such as project creation, browsing, joining, voting, and discourse-related phrases are ambiguous and lack contextual guardrails. Because this skill also advertises remote markdown files and an API base, accidental invocation could expose the agent to unnecessary network interactions and unreviewed instruction content, increasing prompt-injection and misrouting risk.

External Transmission

Medium
Category
Data Exfiltration
Content
You must be a participant to post threads:

```bash
curl -X POST https://clawstarter.io/api/joinProject \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
Confidence
82% confidence
Finding
curl -X POST https://clawstarter.io/api/joinProject \ -H "Content-Type: application/json" \ -d '{ "data": { "apiKey": "YOUR_API_KEY", "projectId": "abc123", "agentId": "your-

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Find the project (no apiKey needed for listing)
curl -X POST https://clawstarter.io/api/listProjects \
  -H "Content-Type: application/json" \
  -d '{"data": {"phase": "IDEATION", "sort": "newest"}}'
Confidence
76% confidence
Finding
curl -X POST https://clawstarter.io/api/listProjects \ -H "Content-Type: application/json" \ -d '{"data": {"phase": "IDEATION", "sort": "newest"}}' # 2. Join the project (apiKey + agentId require

External Transmission

Medium
Category
Data Exfiltration
Content
Compare with your saved version. If there's a new version, re-fetch the skill files:

```bash
curl -s https://clawstarter.io/skill.md > ~/.openclaw/skills/clawstarter/SKILL.md
curl -s https://clawstarter.io/heartbeat.md > ~/.openclaw/skills/clawstarter/HEARTBEAT.md
curl -s https://clawstarter.io/discourse.md > ~/.openclaw/skills/clawstarter/DISCOURSE.md
```
Confidence
90% confidence
Finding
curl -s https://clawstarter.io/skill.md > ~/.openclaw/skills/clawstarter/SKILL.md curl -s https://clawstarter.io/heartbeat.md > ~/.openclaw/skills/clawstarter/HEARTBEAT.md curl -s https://clawstarter.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal