ClawHub

My Shell

Security checks across malware telemetry and agentic risk

Overview

This skill is an openly powerful shell-control tool, but it also ships malformed metadata that can overwrite local OpenClaw skill metadata and has weak command safeguards.

Install only in a disposable or tightly controlled environment where you intentionally want the agent to run local shell commands. Do not rely on the denylist as a safety boundary, and treat the malformed _meta.json write into ~/.openclaw/skills as something that should be removed or fixed before trusting the package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file presents commented metadata for one skill but then includes a shell command that writes different metadata for another skill into ~/.openclaw/skills/claw-shell/_meta.json. This mismatch is deceptive and can silently overwrite trusted local skill metadata, enabling skill substitution or impersonation without the user's awareness.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This skill exposes near-arbitrary shell execution by forwarding user-controlled input into a persistent tmux shell session. The lightweight blocklist is easily bypassed and does not meaningfully constrain harmful commands, enabling filesystem access, data exfiltration, process tampering, network activity, or destructive actions through alternative syntax.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill exposes a general-purpose shell execution interface inside a persistent tmux session while only blocking a very small denylist (`sudo`, some `rm`, reboot/shutdown). That leaves many dangerous commands available, including file modification, exfiltration, package installation, permission changes, process control, network access, and destructive actions that do not use the listed keywords, so an agent could materially alter the system or data without adequate safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The shell snippet writes directly to a metadata file under the user's home directory, modifying local agent configuration without any warning or consent. In skill context, altering files under ~/.openclaw/skills is especially dangerous because it can install, replace, or rebind a skill that the agent may later trust and execute.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal