ClawHub

Agent Audit Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local OpenClaw security scanner, but one scan wrapper can automatically install an unpinned PyPI package during a scan, which deserves review before use.

Install only if you are comfortable trusting the external `agent-audit` PyPI package. Prefer installing it yourself in a virtual environment, pinning or reviewing the version first, and running audits locally. Expect the tool to read OpenClaw skill folders and configuration files; treat clean scan results as helpful signals, not a guarantee of safety.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Attempt to install agent-audit via pip."""
    print("📦 agent-audit not found. Installing...")
    try:
        result = subprocess.run(
            [sys.executable, "-m", "pip", "install", "agent-audit", "--quiet"],
            capture_output=True, text=True, timeout=120
        )
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", "agent-audit", "--quiet"], capture_output=True, text=True, timeout=120 )

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill claims to be a comprehensive built-in security scanner, but the instructions show it depends on an external package installed via pip and also audits local config files beyond the narrowly stated scope of skill scanning. This mismatch can mislead users about what code is actually being trusted and executed, increasing supply-chain and overreach risk.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
A wrapper whose stated role is scanning and reporting also installs software, which is an unnecessary privilege and capability expansion. This creates avoidable supply-chain and environment-modification risk in a context where users reasonably expect read-only analysis behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Automatic pip installation is not justified by the declared purpose of a security scanner and violates least surprise for a defensive tool. Users invoking a scan may not expect package download, dependency resolution, or modification of the interpreter environment, which can be abused or can destabilize trusted systems.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The trigger conditions include broad phrases like asking whether a skill is safe or to check skills, which could match ordinary conversation and cause unintended invocation. In a security-audit skill this is less dangerous than in an execution-heavy skill, but it can still prompt unexpected scans of local skill/config directories or nudge users into unnecessary package installation.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code performs a networked pip install without prior user confirmation, which is risky in a security-sensitive tool because it introduces external content into the environment at runtime. If package sources or TLS trust are compromised, or if dependency resolution pulls an unintended artifact, the scanner becomes a code execution path instead of a passive analysis tool.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal