ClawHub

Elephas

Security checks across malware telemetry and agentic risk

Overview

Elephas is a coherent long-term memory skill, but it automatically schedules background jobs and a silent GitHub self-update that can overwrite the installed skill.

Review before installing. This skill is not clearly malicious, but install only if you are comfortable with it reading OpenClaw journals, writing a durable knowledge graph, registering recurring cron jobs, and updating itself from GitHub. Prefer disabling the self-update cron, using explicit journal source allowlists, backing up Chronicle before merge operations, and requiring manual approval for identity merges and package updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document explicitly states that merges are reversible, but the provided implementation only appends merge history and marks both entities as `confirmed_same`; it does not preserve the full pre-merge state or provide any undo path. In an identity-resolution pipeline, this can cause irreversible corruption of entity relationships and records after a bad merge, which is especially dangerous because upstream logic allows auto-merge based on thresholds and imperfect matching.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that first invocation automatically creates files and registers cron jobs, and also enables a daily self-update path, without any warning, consent flow, or trust-boundary discussion. In an agent skill, automatic persistence plus scheduled modification of the installed code materially expands execution and supply-chain risk, especially because the skill is described as a privileged component that ingests data from all other skills and writes to the authoritative knowledge graph.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill defines a silent self-update path that fetches remote content from GitHub and then recursively overwrites local files with `cp -R ... ./` without any integrity verification, pinning, or user approval. In this context, the risk is elevated because the update is also scheduled via cron, making remote code/behavior changes persistent and potentially automatic if the upstream repository or supply chain is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented pattern performs filesystem writes and database initialization automatically on first use, including creating multiple directories under the user's home directory, without any explicit warning, consent, or gating. In an agent skill context, this can cause unexpected persistent side effects, violate least surprise, and make it easier for an agent to modify a user's environment simply by invoking a helper that appears read-oriented.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "consolidate" is generic natural language and can easily appear in ordinary user requests unrelated to this skill, increasing the chance of accidental invocation. In this skill, unintended activation is more concerning because the described actions include ingesting journals, resolving identities, promoting facts, and updating a persistent knowledge graph, which could modify long-term state based on ambiguous prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal