ClawHub

ClawBot Network

Security checks across malware telemetry and agentic risk

Overview

This skill fits its collaboration purpose, but its default installation and networking choices are unsafe enough to require careful review.

Install only if you control the server and can harden it first: replace the public hard-coded IP with your own host, use HTTPS/WSS, add authentication and firewall or VPN restrictions, remove curl-to-bash, verify downloaded files, and require human approval before any remote task can spawn agents or perform deployments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises and documents network access, shell execution, and environment-dependent behavior, yet no permissions are declared. This undermines least-privilege controls and can cause users or orchestration systems to approve a skill without understanding that it can open network services, fetch remote content, and invoke shell commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description frames the skill as simple cross-device collaboration, but the content describes a substantially broader system: a central server, persistent storage, downloadable installers, messaging APIs, offline task delivery, and group management. That mismatch is security-relevant because users may grant trust for a coordination helper while actually deploying a multi-user network service with a much larger attack surface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer explicitly documents a curl-to-bash workflow and then proceeds to fetch additional remote Python components from a network host. That creates a supply-chain and remote-code-execution path well beyond a minimally safe installer, especially because users are encouraged to trust code served live from the server at install time.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The connector fingerprints the host model and then transmits device metadata during network registration, which expands local system information disclosure beyond what is strictly required for messaging. In this skill context, connecting multiple devices is relevant, but collecting exact model details without explicit consent still creates unnecessary privacy leakage to the remote server.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The server explicitly exposes the entire ../config directory over HTTP, allowing any remote user to download configuration files without authentication. In an agent-networking service, config files commonly contain hostnames, agent identifiers, network topology, API endpoints, secrets, or operational metadata that can materially aid unauthorized access or lateral movement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to execute a remote script directly through the shell without reviewing it first, and it is fetched over plain HTTP. If the server or network path is compromised, arbitrary code will run immediately on the client machine under the user's account.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The installer downloads executable components over plain HTTP, which provides no transport authenticity or integrity. An attacker on the network path, or anyone able to tamper with the server or route, could replace the Python files with malicious code that will later be executed by the user.

Missing User Warnings

High
Confidence
99% confidence
Finding
The quickstart tells users to execute a remotely fetched shell script directly with `curl | bash` over plain HTTP, which removes any opportunity to inspect the script and exposes it to tampering in transit. In this skill's context, users are being instructed to connect multiple agent instances across devices, so compromise of the installer could lead to arbitrary code execution on several machines and credential or data theft.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manual installation steps fetch executable client code and per-agent configuration over plain HTTP without integrity validation or a warning about interception and modification risks. An attacker on the network path or controlling the server could replace the downloaded Python client or config and gain code execution, redirect communications, or collect sensitive metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to auto-connect to a hardcoded external WebSocket server and send presence/messages across devices, yet the user-facing description does not present meaningful consent, trust boundaries, or data-sharing implications. In this context, the danger is elevated because the component bridges agent communications to an unauthenticated external endpoint over plain `ws://`, potentially exposing bot identity, messages, and metadata to interception or an untrusted server.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The connector reads local `SOUL.md` content to derive the bot identity and then uses that identity in network communications, without warning the user that local profile content may be extracted and transmitted. While the regex only targets the name field, this still creates an unexpected local-data access path tied to outbound sharing.

External Script Fetching

High
Category
Supply Chain
Content
**Option A: One-line install (MacBook/Mac Mini)**

```bash
curl -fsSL http://YOUR-VPS:3001/install-clawbot.sh | bash
```

Then start:
Confidence
99% confidence
Finding
curl -fsSL http://YOUR-VPS:3001/install-clawbot.sh | bash

External Script Fetching

High
Category
Supply Chain
Content
# ClawBot Network Connector - Quick Setup
# 让任何设备上的 clawdbot 快速接入 Agent Network
#
# 用法: curl -fsSL http://3.148.174.81:3001/install-clawbot.sh | bash

set -e
Confidence
99% confidence
Finding
curl -fsSL http://3.148.174.81:3001/install-clawbot.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
**Option A: One-line install (MacBook/Mac Mini)**

```bash
curl -fsSL http://YOUR-VPS:3001/install-clawbot.sh | bash
```

Then start:
Confidence
98% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
# ClawBot Network Connector - Quick Setup
# 让任何设备上的 clawdbot 快速接入 Agent Network
#
# 用法: curl -fsSL http://3.148.174.81:3001/install-clawbot.sh | bash

set -e
Confidence
98% confidence
Finding
| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal