ClawHub

Setup

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only setup guide, but it recommends several powerful OpenClaw configurations that could expose a user's machine, browser, email, memory, or gateway if copied without careful review.

Install only if you want a broad OpenClaw configuration reference and will review each example before applying it. Prefer allowlisted or sandboxed exec, isolated browser profiles, metadata-only email ingestion, local/private memory search, loopback or strongly authenticated gateways, and explicit opt-in for public exposure, audio processing, webhook-to-agent automation, session indexing, and auto memory capture.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The document recommends external embedding providers and API-key-backed remote indexing without tying them to a clear need in a setup/hardening skill. This can normalize sending workspace memory and notes to third-party services, expanding data exposure beyond what a user may expect from installation guidance.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill presents a `full` tool profile as the default configuration for a setup/hardening skill, which grants far more capability than its stated purpose requires. Excess capabilities increase the blast radius of prompt misuse, operator error, or downstream skill compromise, especially when combined with file writing, browser access, and command execution.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The browser configuration enables active browser control and includes a relay into the user's real Chrome profile, which can expose authenticated sessions, history, cookies, and sensitive page content. For a setup skill, this is unrelated scope expansion and materially increases privacy and account-compromise risk if abused.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The exec tool allows command execution with broad developer-oriented binaries including `git`, `npm`, `node`, and `python`, which can be chained into impactful system actions even under an allowlist model. In a setup skill, normalizing this capability without strict task bounds creates a clear path to system modification, code execution, package installation, and data access beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill loading configuration permits external directories, hot-reloading, and GitHub-backed skill installation while referencing a sensitive `GITHUB_TOKEN`. This combination expands the trust boundary to third-party and local content, increasing the risk of loading unreviewed skills, token misuse, and supply-chain compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The heartbeat example config enables periodic outbound messaging to Telegram and includes a prompt to inspect local workspace content, but it does not warn users that agent-generated messages and potentially derived local data will be transmitted to an external service. In a setup/configuration skill, omitting that disclosure can lead to unintentional data egress and privacy or compliance issues, especially if HEARTBEAT.md contains sensitive operational content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The memorySearch configuration shows use of external providers such as OpenAI for searching memory and session data, but it does not disclose that stored conversation history or memory-derived content may be sent to third-party services for processing. In a setup skill focused on production recommendations and security hardening, this omission is more concerning because users may assume the example is privacy-safe and enable external processing without understanding the data-sharing implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Gmail Pub/Sub example enables `includeBody: true`, which causes full email contents to be ingested by the system. That increases exposure of sensitive data such as passwords, financial information, personal data, and confidential business content, especially when paired with downstream model processing and webhook-style automation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation provides multiple ways to expose the gateway beyond localhost, including LAN binding and remote connectivity, but does not place a clear, prominent warning next to those examples about increased attack surface and the need for strong authentication, TLS, and network restrictions. In a setup skill, users may copy these snippets directly into production, so omission of security caveats can lead to unintended exposure of a control surface or API.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `funnel` mode is described as public internet access with only a brief note that password auth is required, but it lacks a strong warning that this publishes the gateway to the public internet and materially increases the risk of unauthorized access, brute force attempts, and compromise of connected capabilities. Because this is a configuration guide intended to help users deploy services, the absence of a prominent warning makes risky deployment more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Including 'sessions' as a memory source enables prior conversation transcripts to become searchable without any privacy warning. Session histories often contain credentials, personal data, or sensitive prompts, so indexing them can unintentionally widen access and persistence of sensitive information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recommended OpenAI embedding configuration omits a warning that memory contents may be transmitted to a remote provider for embedding. Users following the example may unknowingly export internal notes or sensitive memory content outside their local environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatic indexing on session start, on search, and continuous file watching are described without warning that workspace content may be continuously monitored and ingested. This increases the chance that newly added secrets, drafts, or regulated data are captured without deliberate user review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The QMD example indexes an external notes path using a broad markdown glob without warning about the volume and sensitivity of included data. Users may accidentally ingest large personal or organizational note collections into searchable memory, increasing exposure and discovery risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The session indexing section explicitly documents ingestion of past conversations without warning that prior prompts and responses may become persistent searchable memory. Because conversations often include secrets or confidential context, this creates a meaningful privacy and data-minimization risk.

Missing User Warnings

High
Confidence
94% confidence
Finding
Auto-capture and auto-recall can silently collect and reuse sensitive content, creating a durable memory layer that may surface secrets or confidential data in later contexts. In a setup-oriented skill, presenting these features without any privacy or security warning makes accidental over-collection more likely and raises the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The voice-first configuration sends user audio and derived content to third-party providers (ElevenLabs for TTS and OpenAI Whisper for transcription) but does not include any explicit notice, consent requirement, or data-handling warning. In a setup guide, this can cause operators to enable privacy-sensitive processing by default without understanding retention, cross-border transfer, or provider-side logging risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented profile enables write/edit/exec-capable operation without warning users that the agent may modify files or execute impactful actions. Lack of user-facing disclosure raises the chance of unsafe consent, accidental system changes, and misuse in environments where operators assume the skill is informational only.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Referencing the user's Chrome via extension relay without a privacy warning obscures that the agent may gain access to authenticated browsing context and personal data. Users may unknowingly expose session content, account state, and private information to the skill or connected tooling.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The audio transcription section omits that uploaded media may be transmitted to third-party providers, which is a meaningful privacy and compliance risk. In setup documentation, this missing disclosure can lead users to submit sensitive recordings without informed consent about external processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skills section combines tokenized GitHub access with external skill installation and provides no warning about trust, code review, or credential exposure. That omission makes supply-chain abuse and accidental secret leakage significantly more likely, especially because this is framed as routine setup guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal