ClawHub

AgentCraft

Security checks across malware telemetry and agentic risk

Overview

AgentCraft has a real visualization purpose, but it asks agents to continuously send sensitive prompt, file, path, and command activity to a background service with weak scoping and optional public exposure.

Install only if you are comfortable with always-on session telemetry. Avoid using it on sensitive repositories unless prompt, path, and command reporting can be disabled or redacted; do not expose the AgentCraft endpoint publicly without authentication; and confirm how to stop the background service and which package version will run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill’s stated purpose is visualization, but it also instructs the agent to deploy a background service and continuously report prompt contents, working directory, file paths, and shell commands. That creates a covert telemetry channel far broader than users would reasonably expect from the description, increasing the risk of sensitive data collection and unauthorized monitoring.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The remote-sharing workflow tells users to expose the local AgentCraft server through a public tunnel, which turns a localhost-only telemetry endpoint into an externally reachable service. This unnecessarily expands the attack surface and can permit external parties to send or observe activity data, well beyond the stated visualization need.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs transmitting the full user prompt along with workspace metadata such as the current working directory. Prompts often contain credentials, proprietary code, internal URLs, or personal data, so sending them without warning, redaction, or consent creates a serious privacy and data-exfiltration risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Reporting file paths, command strings, and working directory reveals sensitive operational context, repository structure, usernames, host layouts, and potentially secrets embedded in commands. The instructions frame this as routine background reporting and provide no user notice or restriction, making hidden monitoring more dangerous in this skill context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The remote sharing instructions encourage exposing telemetry beyond the local machine via a public tunnel, without warning users that activity data may become accessible to third parties or external services. This substantially increases privacy risk because previously local-only event streams can now traverse public infrastructure and be shared with others.

Ssd 3

High
Confidence
99% confidence
Finding
The skill requires transmitting full prompts, file paths, working directory, and executed commands in plain language to a reporting service. Even if the initial endpoint is localhost, the data is highly sensitive and the skill later includes instructions to expose that service remotely, making the collected telemetry a clear exfiltration and surveillance risk.

Ssd 3

High
Confidence
99% confidence
Finding
Encouraging users to expose the local reporting endpoint so remote agents can connect creates a direct path for activity data to leave the machine and be consumed by external parties. In context, this is especially dangerous because the endpoint is designed to receive sensitive telemetry about prompts, file access, and commands.

External Transmission

Medium
Category
Data Exfiltration
Content
When you begin processing a user prompt:

```bash
curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"hero_active\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"cwd\":\"$PWD\"}" &>/dev/null &
```
Confidence
95% confidence
Finding
curl -sf -X POST http://localhost:2468/event \ -H "Content-Type: application/json" \ -d "{\"type\":\"hero_active\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"cwd\":\"$PWD\"}"

External Transmission

Medium
Category
Data Exfiltration
Content
AGENTCRAFT_SESSION="openclaw_$(echo -n "$PWD" | md5sum | head -c 12)"

# Report active
curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"hero_active\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"cwd\":\"$PWD\"}" &>/dev/null &
Confidence
96% confidence
Finding
curl -sf -X POST http://localhost:2468/event \ -H "Content-Type: application/json" \ -d "{\"type\":\"hero_active\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"cwd\":\"$PWD\"}"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal