ClawHub

OpenClaw Quickstart

Security checks across malware telemetry and agentic risk

Overview

This is mostly a real OpenClaw onboarding guide, but it can silently add persistent heartbeat and daily reminder behavior before the user explicitly approves it.

Review before installing. Only use this skill if you are comfortable with it writing OpenClaw workspace files, adding a HEARTBEAT.md progress block, checking OpenClaw state, and creating recurring reminder behavior. Prefer a dry run first, confirm any cron schedule and notification channel, and review any third-party skill before installing it from ClawHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell commands and node scripts that access the user's home directory and workspace, but no permissions are declared to signal those capabilities. This creates a transparency and consent gap: users and hosting platforms cannot accurately assess that the skill will read environment-related paths and perform local automation tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose presents the skill as a simple onboarding guide, but the documented behavior includes persistent automation, cron creation/removal, HEARTBEAT.md modification, workspace scanning, and state persistence. That mismatch is dangerous because users may trigger the skill expecting interactive guidance, while it silently installs background behavior and inspects local data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The description omits that the skill installs persistent reminders and monitoring without explicit consent, even though those actions materially change the user's environment. Understating those behaviors increases the chance of uninformed activation and undermines user control over background tasks.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Creating cron jobs and modifying HEARTBEAT.md exceeds what most users would reasonably expect from a tutorial/onboarding skill. Because these are persistent system and workspace modifications, they broaden the blast radius from a guided session to ongoing automated behavior.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The instruction that the installer is 'safe' attempts to normalize execution despite it making unattended persistent changes. Such reassurance is risky because it can bias the agent or user into skipping scrutiny of operations that alter scheduled tasks and workspace files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The progress checker inspects global OpenClaw state under the user's home directory, including cron configuration and installed skills, rather than limiting itself to the onboarding workspace. This violates least-privilege expectations for a quickstart helper and can expose unrelated user activity or cause the skill to infer completion from data outside its scope.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Although described as a checker, the script can persistently modify .quickstart-progress.json when invoked with --mark-done. A read-oriented utility that also writes state creates surprising side effects, and if another component can trigger it automatically, task completion can be recorded without clear user awareness or validation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation conditions are broad enough that ordinary requests about getting started or onboarding may invoke a skill that performs persistence and local scanning. This increases the chance of accidental execution of sensitive side effects without the user specifically asking for automation or reminders.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs silent installation on first activation and says not to ask the user before running an installer that creates persistent jobs and modifies files. This is a strong consent violation and creates unauthorized persistence in the user's environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The top-level description does not warn that activation can create heartbeat and daily cron reminders, despite those being significant persistent behaviors. Hidden persistence is particularly risky in an onboarding context because users are more likely to trust and accept it without scrutiny.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase asks the AI to initialize its identity and behavior without clearly constraining what files may be written, what settings may be changed, or what authority the AI has to redefine its own rules. In an onboarding context, this can lead users to grant overly broad control over persistent persona and policy files, creating a prompt-injection-style persistence risk if unsafe instructions are stored in SOUL.md or IDENTITY.md.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly says the assistant may call external weather services and that successful use will be recorded in memory, but it does not warn users that their city/query may be sent to third-party providers or that interaction metadata may be retained. In an onboarding context for new users, this omission is more concerning because users are being encouraged to try the feature without informed consent about data flow and retention.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The task states that AI will save the generated report into the workspace automatically, but does not tell the user in advance that a file write will occur or ask for confirmation. In an agent environment, silent persistence can create unexpected files containing sensitive work details, increasing the risk of privacy leakage, clutter, or downstream misuse by other tools that read the workspace.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The content instructs users to create persistent reminder/cron tasks that will proactively contact them through external IM channels, but it does not disclose key security and privacy implications such as ongoing background execution, message routing to third-party services, accidental disclosure on shared devices, or how reminders can be reviewed and revoked. In an onboarding skill, this is more dangerous because new users may enable automation without understanding that the agent will continue acting and sending messages after the initial interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly encourages using the browser tool to log into a platform and view bills, but it does not warn users about credential handling, session privacy, sensitive financial/account data exposure, or the need to verify what the agent is allowed to access. In an onboarding/quickstart context for new users, this is especially risky because users may treat the action as routine and grant broad browser access without understanding the privacy implications.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The document explicitly instructs that AI will generate a .pptx file and save it into the workspace, but it does not tell the user up front that a file write will occur or ask for confirmation. This is a low-severity transparency and consent issue: unexpected file creation can surprise users, clutter storage, or overwrite expected outputs if naming is not handled safely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to search for and install community skills directly from ClawHub without any warning, vetting guidance, or trust boundary discussion. Because installed skills extend the agent with new capabilities and may execute untrusted logic, this normalizes arbitrary third-party installation and increases the chance of supply-chain compromise, malicious skill execution, or over-privileged behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script persistently modifies the user's OpenClaw environment by registering recurring cron jobs immediately when run, without an explicit confirmation prompt, dry-run mode, or clear warning about the ongoing behavior. In an onboarding skill, this is especially sensitive because a new user may execute setup steps casually and unintentionally enable background reminders and automated actions that continue until manually removed.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal