ClawHub

Cue

Security checks across malware telemetry and agentic risk

Overview

Cue’s research purpose is plausible, but its installed code combines background monitoring, API-key handling, and unsafe shell command construction that should be reviewed before use.

Review the code or wait for a patched version before installing. If you do install it, use a dedicated low-privilege API key, avoid shared machines, do not paste sensitive research topics, disable or avoid monitoring/cron features unless needed, and verify that notification sending no longer uses shell-interpolated chat IDs or message text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads an API key from the environment and uses it to send user-supplied research tasks to an external service. That is a real security concern because it enables outbound data transfer and credential use without any visible validation, consent flow, or restriction on what topic/chat data may be transmitted.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script launches a background Node client and later a notifier process, giving it persistent process-management behavior beyond a simple foreground helper script. In a skill context, this increases risk because spawned background processes can continue network activity, consume resources, and outlive the invoking session with limited user visibility.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code executes external CLI commands via execSync and goes beyond passive monitoring by mutating scheduler state. More importantly, it later constructs a shell command using chatId, so this broader command-execution capability materially increases the attack surface and can become a command injection path.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code accepts raw API keys from user input and persists them via setApiKey(), creating a credential-management feature in the skill itself. Even if intended for convenience, storing secrets increases risk of accidental disclosure, insecure local persistence, cross-user mixups, or later misuse by other components, and the file does not show strong safeguards or explicit consent at the point of storage.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The module builds a shell command with interpolated `channel`, `chatId`, and especially `text`, then executes it via `execSync`. Because these values can contain shell metacharacters or embedded quotes, an attacker who controls notification content can potentially break out of the intended command and achieve command injection, which is far more powerful than normal notification behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The rollback section documents destructive deletion commands (`rm -rf src/ tests/ node_modules/`) without any warning, confirmation step, or backup verification. In an agent skill or operational runbook context, users or automation may copy-paste these commands directly, causing accidental loss of local code, tests, or environment state if run in the wrong directory or before validating the backup.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document describes external API transmission, persistent local storage, logs, and background monitoring, but it does not present a clear upfront user warning about what data leaves the host and what is stored locally. In an agent skill context, poor disclosure increases the chance that users enable monitoring or provide credentials without understanding privacy and persistence implications.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises very broad natural-language activation such as entering general investment or research-related queries directly, which can cause the skill to trigger on ambiguous user input without clear intent to invoke it. In this skill, unintended activation is more concerning because invocation can lead to network access, persistent local storage, background processing, and follow-on monitoring workflows.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Telling users to send any message to begin setup is an excessively vague trigger that can initialize the skill on incidental conversation rather than deliberate consent. Given this skill's stated behavior—welcome flows, API-key guidance, user-state creation, and potential persistence/background monitoring—such automatic activation increases the risk of unintended data handling and privileged setup actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The non-interactive quick setup mode silently persists secrets passed on the command line into ~/.openclaw/.env. This is dangerous because command-line arguments are commonly exposed via shell history, process listings, logs, and automation systems, creating multiple opportunities for credential leakage beyond the .env file itself.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically persists API keys into `~/.openclaw/.env` when a user sends a string matching key patterns, without an explicit confirmation prompt or storage warning at the moment of write. In an agent/chat setting, this increases the risk of users pasting sensitive credentials they did not intend to store locally, and the file may inherit unsafe permissions if not explicitly locked down.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends the full user query, optional conversation identifiers, and possibly enriched sensitive research context to a remote service at the configured base URL without any explicit consent, warning, or data-classification guard. In an agent-skill context, users may assume local processing, so undisclosed transmission can expose proprietary, personal, or regulated information to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script fetches an arbitrary user-supplied URL with curl, which can trigger unintended outbound network access to internal services, cloud metadata endpoints, or attacker-controlled hosts. In an agent or automation context, this creates SSRF-style risk and silent data transmission because there is no validation, allowlist, or user-facing consent around network access.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Writing notification content to /tmp using a filename derived from MONITOR_ID can expose sensitive monitoring results to other local users and may enable symlink or clobbering attacks on multi-user systems. Because the file contains trigger conditions and execution results from external sources, this can leak potentially sensitive data or overwrite unintended targets if the path is manipulated.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script starts a detached Node subprocess that is configured with a base URL and API key and appears intended to communicate with a remote service, while only emitting generic success/progress messages to the user. This is risky because users may not understand that data is being sent off-host asynchronously, reducing transparency and informed consent.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
chatId is interpolated into a shell command string passed to execSync, which enables command injection if chatId can contain shell metacharacters. An attacker could execute arbitrary commands under the service account when cron registration is attempted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The worker accepts an API key as a positional command-line argument via process.argv, which can expose the secret through process listings, shell history, job runners, crash reports, and orchestration logs. In this cron/background-worker context, the risk is more concrete because scheduled jobs and process supervisors commonly record full command invocations, increasing the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
At the point where the user provides an API key, the code proceeds to detect and save it without presenting a clear warning about where it will be stored, how long it will persist, or what components may access it. This weakens informed consent and can cause users to disclose sensitive credentials into a local agent environment they may not fully trust.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to install a cron entry that creates a persistent background monitoring task, but it does not clearly warn about the ongoing execution, resource consumption, or security implications of running unattended jobs. In a skill that performs networked monitoring and notifications, silent persistence increases risk because it can continue operating after installation with limited user awareness.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README tells users to place API keys and notification tokens in environment variables but does not warn that these are sensitive secrets that must be protected from shell history, process inspection, shared profiles, and logs. While environment variables are a common mechanism, omitting handling guidance can lead to credential exposure in multi-user or poorly secured environments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The documented first-time setup says users should 'send any message' to trigger initialization, which is an overly broad activation condition for a skill that has persistent storage, background jobs, external API use, and notification behavior. In this context, an accidental or unrelated message could start onboarding, state creation, or other side effects without clear user intent, making unintended activation more dangerous than in a stateless read-only skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persists API keys via setApiKey(service.key, apiKey) and then tells the user the secret is saved and active, but it does not present a clear warning or consent prompt at the moment of storage describing where the key will be stored, how it is protected, and who can access it. In a skill that handles credentials and advertises local storage/automation behavior, silent persistence of secrets increases the risk of accidental credential exposure on shared hosts or poorly protected local environments.

Credential Access

High
Category
Privilege Escalation
Content
# 保存到 .env
        if grep -q "TAVILY_API_KEY" ~/.openclaw/.env 2>/dev/null; then
            # 更新现有配置
            sed -i "s/TAVILY_API_KEY=.*/TAVILY_API_KEY=${tavily_key}/" ~/.openclaw/.env
        else
            # 添加新配置
            echo "TAVILY_API_KEY=${tavily_key}" >> ~/.openclaw/.env
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
if grep -q "QVERIS_API_KEY" ~/.openclaw/.env 2>/dev/null; then
            sed -i "s/QVERIS_API_KEY=.*/QVERIS_API_KEY=${qveris_key}/" ~/.openclaw/.env
        else
            echo "QVERIS_API_KEY=${qveris_key}" >> ~/.openclaw/.env
        fi
        
        export QVERIS_API_KEY="$qveris_key"
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
if [ "$service" = "tavily" ]; then
        if grep -q "TAVILY_API_KEY" ~/.openclaw/.env 2>/dev/null; then
            sed -i "s/TAVILY_API_KEY=.*/TAVILY_API_KEY=${key}/" ~/.openclaw/.env
        else
            echo "TAVILY_API_KEY=${key}" >> ~/.openclaw/.env
        fi
Confidence
95% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal