ClawHub

Mentor

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent orchestration tool, but it asks for broad ongoing authority, automatic updates, and private Gmail-based contact profiling that users should review carefully.

Install only if you intentionally want a persistent OpenClaw control-plane skill. Before enabling it, review or disable the daily self-update and cron jobs, narrow the triggers, confirm which journals it can read, and do not run contact-enrichment unless you explicitly approve the Gmail account, target contact, message scope, extracted fields, storage location, and write-back preview.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README states there are no external dependencies, yet later documents pulling updates from GitHub source. That mismatch can mislead users and operators about the trust boundary and network behavior of the skill, especially for an orchestration component that can self-update on a schedule.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill is described as reading journals from every skill and supporting Gmail-based contact enrichment, but the README provides no clear privacy notice, consent model, retention policy, or data-scope limits. In a control-plane skill with broad visibility, under-disclosed access to cross-skill journals and personal communications increases the risk of unintended collection or misuse of sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README says initialization runs automatically, creates files, registers cron jobs, and later documents self-updates, but does not present this as a prominent security/operational warning. Silent persistence and scheduled execution are risky behaviors for an autonomous control-plane component because they expand its footprint and can surprise users or administrators.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documented workflow plan performs recurring contact enrichment using Gmail, OSINT, and web search, and the README even provides a cron example for daily execution without warning about continuous access to sensitive or external data sources. In this context, the risk is elevated because automation plus scheduling can normalize ongoing collection and correlation of personal data without sufficient transparency, consent, or guardrails.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The self-update flow fetches code from a remote repository and then recursively copies the extracted contents over the current skill directory. This creates a supply-chain and integrity risk because remote code is trusted and installed automatically, with little user visibility and no verification step such as signature or pinned commit validation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Initialization performs persistent side effects by registering cron jobs and modifying HEARTBEAT.md, which can cause recurring autonomous execution beyond the immediate user request. Because these actions occur during first invocation and are not prominently disclosed near command usage, users may unknowingly grant the skill long-lived execution and configuration changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs writing proposal and decision JSON files into a fixed local path under the user's home directory without any warning, consent flow, or safety boundary. In an agent context, this can cause unauthorized local state changes, persistence, or tampering with downstream automation inputs, especially because the files are intended to drive promotion and self-improvement workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file mandates persistent journaling of every run to a fixed path and includes rich metadata fields such as commands, timestamps, model/runtime details, and decision summaries, but it provides no guidance on data minimization, redaction, retention, or access controls. If runs contain sensitive prompts, identifiers, or operational context, these records can accumulate on disk and become a secondary disclosure source through local compromise, backups, or overbroad sharing.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The plan explicitly recommends periodic execution against random contacts, which creates overly broad access to personal data without a user-initiated need, case-specific justification, or exclusion logic. In the context of a contact-enrichment workflow that scans Gmail and external sources, broad invocation scope materially increases privacy risk and the chance of unnecessary collection.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description states the plan will scan all Gmail history for a person and write inferred facts back to Weave, but it provides no prominent consent notice, privacy warning, retention disclosure, or data-minimization boundary. Because this involves first-party email content and inferred sensitive attributes, the absence of clear user warning and consent makes the workflow dangerous and likely non-compliant with privacy expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly instructs the agent to create directories and write persistent state files such as `state.json` and `decisions.jsonl`, but it does not warn users that invoking a plan causes durable filesystem changes. This can lead to unintended data persistence, privacy issues, and surprise side effects, especially when runs are triggered by cron or heartbeat automation rather than an interactive user session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that plans invoke other skills and even names integrations like Gmail, Scout OSINT, Sift web search, and Weave, but it does not warn that executing a plan may access external services and process user or third-party data. This creates a transparency and consent gap: a user may trigger a plan expecting local orchestration while the system actually performs networked actions and data access through downstream skills.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description embeds broad trigger phrases such as 'manage this project' and 'coordinate a multi-step analysis' that can match many ordinary user requests, making accidental invocation likely. In this skill's context, that is more dangerous because the skill has access to cross-skill journals and can write proposed changes into Forge intake, so an unintended activation could expose sensitive workflow data or initiate unauthorized orchestration actions.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions direct exhaustive review of all returned Gmail messages and extraction of highly sensitive personal details such as family relationships, health events, life events, alternate contact methods, location, and interests, then persist them into another system. The skill context makes this especially dangerous because it operationalizes bulk surveillance of private communications and converts contextual email content into durable structured dossiers.

Ssd 3

High
Confidence
96% confidence
Finding
The plan normalizes recurring enrichment of random contacts by combining private Gmail history with public-source research, enabling ongoing accumulation of personal data without a specific user-driven trigger. Repeated automated collection across random people increases the scale, persistence, and likelihood of misuse or over-collection.

Ssd 3

Medium
Confidence
90% confidence
Finding
The final logging step records the enriched contact identity and plan details into persistent artifacts such as decisions.jsonl and an action journal, extending the exposure surface of personal data beyond the primary datastore. In a workflow already handling sensitive inferred facts, duplicating identifiers and run metadata into logs increases breach impact, discoverability, and retention risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal