ClawHub

Corvus

Security checks across malware telemetry and agentic risk

Overview

Corvus has a coherent pattern-analysis purpose, but it also installs persistent background jobs and silently self-updates from GitHub without enough user control.

Install only if you intentionally want ongoing analysis of broad OpenClaw journals and knowledge-graph data. Before enabling it, disable or explicitly approve the cron, heartbeat, and self-update behavior; avoid unattended updates from a mutable GitHub branch; and confirm which downstream skill intake directories it can write to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill includes a self-update mechanism that fetches code from GitHub and recursively copies it over the local skill directory. This gives the skill supply-chain and self-modification capability unrelated to its stated pattern-analysis role, and the update is performed with no integrity pinning, signature verification, or review gate. If the repository or upstream account is compromised, arbitrary new behavior can be installed silently.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Initialization grants the skill persistent scheduling control by registering cron jobs and modifying heartbeat configuration. That exceeds a simple analysis skill's core purpose and creates autonomous recurring execution, which can be abused to maintain persistence, repeatedly exfiltrate data, or continuously mutate local state without fresh user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that initialization automatically creates files and registers cron/heartbeat jobs, including a self-update task, without any clear consent, warning, or trust model disclosure. Automatic system modification plus scheduled code updates can materially change the host environment and introduce new code over time, creating supply-chain and persistence risk for anyone invoking the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Documenting an automatic daily GitHub self-update without a strong warning means users may unknowingly permit remote code changes to be pulled and applied on a schedule. This expands the attack surface to repository compromise, malicious updates, or accidental breaking changes and is especially dangerous in an autonomous skill environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is described as continuously scanning browsing, research, communications, journals, and knowledge-graph data, yet there is no prominent privacy notice, scope limitation, or consent language. In a system handling personal intelligence and behavioral inference, silent broad monitoring increases the risk of over-collection, unintended profiling, and disclosure of sensitive information to downstream components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The self-update path is designed to run silently unless a version changes or an error occurs, while overwriting local files from a remote repository. Silent code replacement deprives the user of informed consent and makes malicious or risky changes hard to detect, amplifying the impact of upstream compromise or repository tampering.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The initialization flow makes persistent background changes by adding cron jobs and editing a shared HEARTBEAT.md file without an explicit warning. Hidden persistence is dangerous because it causes future executions and shared-environment modifications outside the immediate task context, reducing user visibility and control.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains broad natural-language activations such as 'analyze patterns', 'find anomalies', 'what patterns do you see', and 'run analysis', which are generic enough to overlap with ordinary user requests. This can cause unintended invocation of the skill, leading it to access journals and knowledge-graph data in contexts where the user may not have intended this particular skill to run.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal