ClawHub

OpenClaw 技能组合器

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only workflow skill, but it can chain into publishing, portfolio updates, and persistent knowledge-base changes without consistently requiring clear final approval.

Install only if you want a powerful orchestrator and can review each generated chain before it runs. Keep auto_publish and update_portfolio disabled by default, verify downstream skills and accounts, and require manual approval before publishing, updating portfolio records, writing wiki indexes or concept graphs, using logged-in scraping, or applying generated skill changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented chain includes `wechat-mp-upload`, enabling direct publication from a generic orchestration skill. In a compounder/orchestrator context, allowing publish/upload as part of an automatically generated workflow increases the chance of unintended external actions, especially when combined with dynamic intent matching and chain generation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The declared purpose is article-to-Wiki conversion, but the pipeline also performs persistent side effects by updating a shared knowledge index and modifying a concept graph. This creates scope expansion beyond user-visible formatting and can cause unintended or unauthorized changes to a broader knowledge base if triggered on untrusted or low-quality input.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Updating a concept graph is not necessary for basic article-to-Wiki conversion and introduces additional write capabilities driven by extracted concepts from potentially noisy or adversarial content. This can pollute the graph, create misleading relationships, or be abused to inject low-integrity metadata into downstream knowledge systems.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest frames the skill as note analysis and article creation, but the workflow also performs downstream WeChat formatting and potential publication. This scope mismatch is security-relevant because users or orchestrators may grant the skill broader network and publishing capabilities than implied, increasing the chance of unintended external data transfer or content publication.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Step 5 includes `wechat-mp-upload` with `auto_publish` support, which extends the skill from content transformation into external account action. Even if `auto_publish` defaults to false, exposing publication capability without strong justification and confirmation creates a meaningful risk of accidental or unauthorized posting to a public channel.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows automatic upload/publishing behavior near the execution chain without an adjacent warning or mandatory confirmation. In a skill that dynamically composes multi-step workflows, silent publication is risky because generated content could be posted to external platforms without sufficient user review.

Missing User Warnings

High
Confidence
96% confidence
Finding
The template exposes `auto_publish` as a normal parameter without an explicit warning, making unsafe publication appear routine. If a downstream system honors this field, users or generated chains may trigger public posting unintentionally, causing reputational harm, policy violations, or disclosure of sensitive content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger keywords for the writer skill are very broad natural-language phrases such as '帮我写' and '改写', which are likely to appear in ordinary requests. In a compounder/registry system that auto-selects and chains skills, this can cause unintended skill activation and route user data or tasks into workflows the user did not explicitly request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The search skill uses generic triggers like '搜索' and '查一下', which are common conversational phrases and can match a wide range of benign user prompts. In this registry context, that increases the risk of overbroad activation of search or downstream chained skills, potentially causing unnecessary external queries, data exposure, or unapproved task execution.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Transformation/formatting triggers such as '转markdown', '格式转换', and '生成md' are ambiguous and can be invoked by many ordinary requests that merely mention conversion. Because this file is a central registry for orchestration, ambiguous activation can unintentionally process documents, create files, or feed outputs into other skills, increasing the chance of unwanted data handling and workflow execution.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list contains broad phrases such as generic requests for combining skills or automating multi-step work, which can match ordinary user intent without making it clear that this skill may invoke multiple downstream skills and side-effecting actions. In a compounder/orchestrator skill, overbroad activation is more dangerous than usual because a false match can cause chained execution, data propagation across skills, and unintended publishing or analysis actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description advertises one-click automatic chaining of multiple skills but does not warn users that downstream skills may perform external actions, transform data, or publish content. In this context, the omission is significant because the documented templates include upload/publishing and automated analysis flows, so users may unknowingly trigger multi-step execution with broader scope than expected.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger examples are broad natural-language requests such as asking to help fetch web content and write an article, which can cause the pipeline to activate in situations where the user did not clearly intend a multi-step scrape/rewrite/publish workflow. In this skill, accidental invocation is more dangerous because the chained actions include external fetching and possible publication, amplifying the effect of an ambiguous trigger.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template advertises a full pipeline from web collection to WeChat publication but does not clearly warn users that external content will be fetched, transformed, and potentially transmitted to third-party services or published automatically. This is dangerous because users may unknowingly expose sensitive input, infringe copyright, or trigger unintended public posting when auto_publish is enabled.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrases are broad, everyday requests that could match ambiguous user intent and invoke a workflow with network fetching and persistent knowledge-base updates. In this skill context, overbroad activation is riskier because the pipeline does more than simple formatting and can modify shared data stores.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill fetches external content and performs write-like operations such as updating an index and concept graph, yet it provides no user warning, consent step, or risk disclosure. This increases the chance of users unknowingly causing repository changes, ingesting untrusted content, or modifying shared knowledge structures without review.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad everyday requests such as helping turn notes into an article, which can cause the compound skill to activate in contexts where the user did not intend multi-step fetching, rewriting, and possible upload behavior. In a skill with network retrieval and publication-related steps, overbroad triggering increases the chance of unintended execution and data handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description and early pipeline steps involve fetching external note content and later uploading to WeChat, but the template does not clearly warn about network transmission, third-party processing, or publication risks. This reduces informed consent and can lead users to provide sensitive notes or links without understanding that content may leave the local environment and be prepared for publication.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match ordinary investment-related user requests, which can cause this compound skill to auto-activate in situations where the user did not explicitly intend a multi-step pipeline. In this context, the pipeline can progress from research into recommendation generation and potentially portfolio updates, so overbroad triggering increases the risk of unanticipated financial-advice and account-changing behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Step 4 performs a state-changing portfolio update based on prior automated analysis, yet the template description does not prominently warn users that the workflow can alter holdings or portfolio records. In an investment context, hidden or insufficiently disclosed write actions are particularly dangerous because users may believe they are requesting analysis only, while the pipeline is configured to proceed to a modification step when a flag is set.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions and example phrases are broad enough to overlap with ordinary user requests, which can cause the compound skill to activate unintentionally. In a multi-step pipeline that performs external search and report generation, accidental invocation can lead to unnecessary network access, unexpected data processing, and user confusion about what actions are being taken on their behalf.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This template chains external search engines and passes gathered data across multiple skills without any visible user warning about network access, third-party data exposure, or privacy implications. That is dangerous because users may provide sensitive research topics or internal material that is then transmitted externally and propagated through downstream components without informed consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords are broad natural-language phrases such as '优化这个skill' and '改进技能', which can overlap with ordinary support requests rather than explicit invocation of this pipeline. In a compounder/orchestration skill, accidental activation is more dangerous because it can launch a multi-step workflow that analyzes and rewrites skills based on user-supplied paths, causing unintended modifications or cascading execution.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The Step 1 trigger condition, '用户指定待优化的Skill路径', is underspecified and does not clearly constrain when the workflow should begin or how the path should be validated. In context, this skill consumes `${user.skill_path}` and passes it through multiple chained steps, so ambiguous activation increases the chance of processing unintended targets or being steered into self-modification flows without clear operator intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, generic requests like '分析一下这个视频的重点' and '帮我提取这个视频的内容', which are likely to overlap with normal user intent and may cause this compound skill to activate unintentionally. Because this pipeline can process user-supplied video URLs or local paths and chain multiple downstream skills automatically, accidental invocation increases the chance of unintended data processing and privacy exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal