ClawHub

OpenClaw Documentation Expert — Live Fetch

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused OpenClaw documentation helper with disclosed local miss logging that users should be aware of.

Install if you are comfortable with the skill fetching public OpenClaw docs over the network and occasionally storing missed routing questions in a local misses.md file. Avoid putting secrets, private incident details, or sensitive internal URLs in OpenClaw questions that might be logged, and clear the local log if needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only a binary requirement for `curl` but operationally instructs shell-script execution (`fetch.sh`, `search.sh`, `verify.sh`, `selftest.sh`, `record_miss.sh`). That mismatch can bypass least-privilege expectations and cause the host to grant broader execution capability than a reviewer or policy engine realizes. In a skill ecosystem, undeclared shell execution materially increases attack surface because scripts can read/write local files and make network requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description promises live documentation fetches, but the behavior also persists user questions, tallies historical misses, and caches full-doc content for an hour. This is security-relevant because operators and users may consent to transient fetch-only behavior while the skill actually performs local retention and background state accumulation, undermining informed trust and review. Hidden persistence is especially risky when stored content includes natural-language user queries that may contain secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to log raw user questions to a local file without any explicit warning, consent, or sanitization. User questions often contain credentials, internal URLs, personal data, or proprietary context, so silent retention creates a privacy and data-handling vulnerability even if the file is only local. The danger is amplified because logging occurs on routing misses, which are unpredictable and therefore hard for users to anticipate.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persisting raw natural-language questions in `~/.openclaw/openclaw-docs/misses.md` creates a durable local disclosure risk. Local files are often included in backups, synced directories, support bundles, or read by other local processes/users, turning ephemeral user prompts into long-lived sensitive artifacts. Because the file accumulates free-form text, the impact can include credential leakage, internal project exposure, or personal data retention.

Ssd 3

Medium
Confidence
95% confidence
Finding
The evolution loop institutionalizes repeated collection and later human review of stored user questions, converting incidental logging into an ongoing retention pipeline. This increases exposure because accumulated prompts become a review corpus, making sensitive data more likely to be accessed, copied, or retained indefinitely. The explicit feedback loop also normalizes storing user content for purposes beyond the immediate answer.

Session Persistence

Medium
Category
Rogue Agent
Content
- Do not edit `SKILL.md`, `EXAMPLES.md`, or any file under `scripts/` from within an agent answer.
- Do not invent new decision-tree branches on the fly — use the current tree, then log the miss.
- Do not write to `~/.openclaw/openclaw-docs/` anything other than the misses log (one append per miss).
- Do not exfiltrate user messages beyond the single flattened question passed to `record_miss.sh`.

Promotions from the misses log into SKILL.md are a **human commit**, reviewed, run through `selftest.sh`, and published as a new version. The agent proposes; the maintainer disposes.
Confidence
88% confidence
Finding
write to `~/.openclaw/openclaw-docs/` anything other than the misses log (one append per miss). - Do not exfiltrate user messages beyond the single flattened question passed to `record_miss.sh`. Prom

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal