ClawHub

Claw2Claude

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed bridge to Claude Code, but it needs careful review because it runs Claude unattended with skipped permissions and broad cross-session result delivery.

Install only if you intentionally want OpenClaw to hand tasks to Claude Code in a non-interactive mode. Use it on trusted project directories, avoid secrets in prompts, review generated files and logs, and understand that enabling the required OpenClaw settings allows background helper processes to send messages across sessions; this is not suitable for highly sensitive or multi-user environments without tighter scoping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The README instructs users to set session visibility to "all" and allow external use of messaging tools so a background notifier can send messages outside the originating AI session. That materially expands the gateway trust boundary from local Claude delegation to broad cross-session communication, increasing the chance of unauthorized message delivery, data leakage, and abuse by other local processes that can reach the gateway.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The Discord Bot API fallback adds an extra outbound messaging path beyond the stated purpose of delegating to a local Claude CLI and returning results through OpenClaw. This creates an additional network-capable exfiltration channel and bypass path if gateway controls fail or are unavailable, which broadens the attack surface and complicates auditing.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Auto-detecting the most recently active user session from local session metadata can cause results to be sent to the wrong recipient or channel, especially in multi-user or multi-platform environments. This behavior exceeds narrow task delegation because it infers a destination rather than using the explicit invoking context, creating a real privacy and integrity risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation asks operators to enable broad cross-session messaging without a prominent warning about privacy, misdelivery, and abuse implications. Even if intended for convenience, omitting those warnings can lead users to deploy an over-privileged configuration they do not fully understand, making accidental exposure more likely.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The README describes reading local session metadata to infer a recipient channel but does not clearly warn users that session activity data is being accessed and used for message routing. This transparency gap increases the chance of surprising behavior and privacy-sensitive misconfiguration, though it is primarily a documentation and consent problem rather than direct code execution.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation rules trigger on broad cues such as asking for a 'better model' or merely mentioning an existing project path, which can cause the skill to launch an external high-privilege executor unexpectedly. In this skill's context, that is more dangerous because invocation leads to automated Claude runs with '--dangerously-skip-permissions' and file writes in a project directory.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'ask first' criteria depend on subjective judgments like whether a task is an 'idea or direction' or may need iteration, making invocation boundaries inconsistent and hard to audit. Ambiguity is risky here because inconsistent decisions can push normal conversations into a persistent, logged, cross-session orchestration flow with elevated automation privileges.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The logging helper forwards prompt excerpts, project path, mode, session key, and Claude session metadata to an external Python helper without any in-band consent check or minimization beyond truncating the prompt to 200 characters. Prompts often contain secrets, internal paths, or proprietary task details, so this creates a privacy and data-handling risk in a delegation skill that may process sensitive user inputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The notifier is explicitly designed to send parsed Claude results to the OpenClaw gateway, meaning project-derived output leaves the local environment automatically. Because the delegated model may inspect repository contents or generate summaries containing sensitive code, credentials, or business information, silent exfiltration to an external service is materially dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script persistently logs potentially sensitive data including the absolute project path, a session key, a Claude session identifier fragment, and the user prompt text. Even though the write is local and appends JSON safely, the issue is an information exposure risk: prompts can contain secrets or proprietary data, and session identifiers and project paths can aid later compromise if the log file is accessed by another user, process, backup system, or support workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal