ClawHub

Mainctrl

Security checks across malware telemetry and agentic risk

Overview

This does not look malicious, but it needs Review because it can automatically route blocked write or command actions to unrestricted sub-agents without user confirmation.

Install only if you want workflow enforcement where main delegates implementation to sub-agents, not a security sandbox. Turn it on explicitly after install, verify status, restrict who can run the CLI, and treat plugin removal, off mode, and automatic sub-agent delegation as actions that can restore or preserve full write/execute capability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation appears to contradict itself about the default state of blocking, which can cause operators to misunderstand whether protections are active. In a permission-control skill, ambiguity about the default security posture can lead to accidental exposure of destructive tools to the main agent when administrators believe they are blocked.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script’s documented role is managing runtime blocking state, but it also performs plugin installation and removal, which expands its authority beyond simple state management. That hidden or under-emphasized capability can surprise operators and allows a caller of this utility to make persistent system-level changes to the OpenClaw environment.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
These commands modify global OpenClaw plugin state by enabling, disabling, installing, and uninstalling a plugin, which is broader than the stated permission-management purpose. In a security-control skill, the ability to alter global plugin configuration is sensitive because misuse can disable protections or introduce unreviewed code paths across the whole environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly tells the blocked primary agent to bypass the restriction by immediately delegating the same action to a sub-agent, while also noting that sub-agents retain full write/exec capability. This creates a misleading safety model: users may believe dangerous actions are prevented, when in reality they are merely rerouted to less-restricted agents without an approval checkpoint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes plugin uninstall/removal instructions without a prominent warning that removing the plugin disables the enforcement mechanism entirely. Because this skill is specifically a runtime control for blocking destructive tool calls, normalizing uninstall steps without risk framing can lead users or agents to disable protections casually and leave controlled agents unrestricted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The 'Emergency off — let everyone do anything' command is presented as a routine example without a strong warning about the risk of disabling all safeguards. In this skill's context, that command removes protections on write, edit, exec, process, and patch actions, so casual use can directly enable high-risk operations by the main agent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The install/remove subcommands invoke system-modifying OpenClaw plugin operations immediately and without confirmation, dry-run output, or privilege checks. In practice, this increases the risk of accidental or scripted changes to the agent platform, including disabling the control plugin or force-installing it from a local path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal