ClawHub

Chinese Talent Scout

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent with its stated purpose, but it needs review because it profiles a nationality-linked developer group and exposes broad OpenClaw messaging and cron-management powers.

Install only if you intentionally want a tool that collects and scores public GitHub data about Chinese developers using your configured GitHub and OpenClaw accounts. Before use, review the workspace config, channel targets, exported ZIP contents, and all OpenClaw cron jobs; use least-privileged accounts and avoid syncing cron or sending config requests until you have confirmed the commands and recipients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill invokes powerful local executables including `gh`, `openclaw`, and a browser automation stack, which gives it substantial capability to perform network actions, local system interactions, and automation beyond simple data processing. In an agent-skill context, this materially expands the attack surface because user-triggered flows can cause external side effects and rely on ambient credentials such as GitHub/OpenClaw auth.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The Playwright-based scraping functions launch a full Chromium browser against external sites, enabling arbitrary web content execution within the browser sandbox and broad outbound access. While this is part of the stated feature set, browser automation in an agent skill increases risk of unexpected network reach, fingerprinting, and abuse if later extended to attacker-controlled URLs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Despite the description framing config changes as controlled requests, the code actively sends outbound messages to request edits to `talents.yaml` via OpenClaw delivery channels. This is dangerous because it creates an indirect configuration-modification path over external messaging systems, which can be used for unauthorized change workflows or social engineering of downstream operators/agents.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The `sendMessage` wrapper can send arbitrary text and media to many chat platforms, with target, account, thread, and dry-run controls coming from parameters or config. In an agent environment, this is a direct outbound communications primitive that can be abused for data exfiltration, spam, phishing, or covert coordination if the skill is invoked with untrusted inputs.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill can add, remove, enable, disable, list, and immediately run cron jobs through OpenClaw. This is highly dangerous in context because it grants persistent task-scheduling capability and remote triggering, enabling unauthorized persistence, recurring execution, or disruptive modification of automation on the host or integrated platform.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The config-request command forwards user-provided change requests over external messaging without meaningful safety interlocks beyond checking channel/target defaults. Because the message body can be user-supplied, this creates a prompt/instruction relay that may induce downstream systems or humans to alter configuration in unsafe ways.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The configuration is explicitly designed to discover, rank, and monitor a specific national group ('Chinese GitHub developers') using community, ranking, and graph-expansion signals. Even though this is not memory-corruption or code-execution, it creates a real security/privacy risk because it enables targeted profiling and surveillance of individuals based on nationality/linguistic community without any documented consent, user-choice gate, or necessity constraint in the file.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal