ClawHub

Cn Client Investigation

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent China-company research workflow, but it needs Review because it embeds and transmits API credentials insecurely and runs external build/helper code during deliverable generation.

Install only if you are comfortable with a review-level skill that contacts external financial/business-data services, reads local OpenClaw credential config, and runs Node/npm build steps. Prefer using it in a sandbox with no unrelated secrets, remove or rotate the embedded Tushare token, require HTTPS for credentialed API calls, and avoid the /tmp DOCX helper override unless you fully control that file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}, indent=2))
    if not (slides_dir / "node_modules" / "pptxgenjs").exists():
        print("Installing pptxgenjs...")
        r = subprocess.run(["npm", "install", "--omit=dev", "--silent"],
                           cwd=str(slides_dir), capture_output=True, text=True,
                           timeout=120)
        if r.returncode != 0:
Confidence
78% confidence
Finding
r = subprocess.run(["npm", "install", "--omit=dev", "--silent"], cwd=str(slides_dir), capture_output=True, text=True, timeout=120)

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
# the v0.9.x smoke tests. When the banker workflow stabilises, this will
# move into scripts/ proper — for now we accept a path override via env.
MD_TO_DOCX = pathlib.Path(
    __import__("os").environ.get("MD_TO_DOCX_MJS", "/tmp/md_to_docx.mjs")
)
Confidence
87% confidence
Finding
__import__("os").environ.get("MD_TO_DOCX_MJS", "/tmp/md_to_docx.mjs")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if r.returncode != 0:
            sys.exit(f"npm install failed: {r.stderr[:500]}")

    r = subprocess.run(["node", "compile.js"], cwd=str(slides_dir),
                       capture_output=True, text=True, timeout=180)
    sys.stdout.write(r.stdout)
    sys.stderr.write(r.stderr)
Confidence
95% confidence
Finding
r = subprocess.run(["node", "compile.js"], cwd=str(slides_dir), capture_output=True, text=True, timeout=180)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}, indent=2))

    if not (slides_dir / "node_modules" / "pptxgenjs").exists():
        r = subprocess.run(["npm", "install", "--omit=dev", "--silent"],
                           cwd=str(slides_dir), capture_output=True,
                           text=True, timeout=120)
        if r.returncode != 0:
Confidence
98% confidence
Finding
r = subprocess.run(["npm", "install", "--omit=dev", "--silent"], cwd=str(slides_dir), capture_output=True, text=True, timeout=120)

Tainted flow: 'r' from os.environ.get (line 39, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
r = urllib.request.Request(
        "http://api.tushare.pro", data=body.encode(),
        headers={"Content-Type": "application/json"}, method="POST")
    return json.loads(urllib.request.urlopen(r, timeout=15).read())


def items_to_dicts(resp: dict) -> list[dict]:
Confidence
97% confidence
Finding
return json.loads(urllib.request.urlopen(r, timeout=15).read())

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A hardcoded Tushare API token is embedded directly in the script, which means anyone with access to the code can reuse the credential for unauthorized external access. In a shared agent skill, this also creates silent outbound capability that may bypass user expectations and can lead to credential leakage, abuse, billing impact, or account compromise.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Runtime package installation is not necessary for a pure investigation skill and materially expands the trust boundary to the npm ecosystem. In this context, that means a data-analysis skill can unexpectedly fetch and execute third-party code on the host, creating avoidable supply-chain exposure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends sensitive business query terms (`company_name`) and API-backed requests through an external Node bridge without any explicit disclosure in the script header or usage text. In a banker-grade investigation workflow, target identities and enrichment activity can be commercially sensitive, so silent transmission to a configured external endpoint increases data-leakage and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script reads API-related configuration from `~/.openclaw/openclaw.json`, including credentials and endpoint settings, without making that behavior explicit to the user. In this skill context, that is more concerning because the script is designed for external due-diligence reporting, so undisclosed credential and endpoint use can lead to accidental transmission of sensitive client investigation data to a non-obvious backend.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script silently falls back to a built-in API token and sends requests outward without any warning to the user. This creates undisclosed external data access and credential exposure risk, and in a security-sensitive investigation workflow it undermines auditability and operator consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script loads a PrimeMatrix API key from local config and forwards it to a subprocess that performs an external lookup, without making that credential use explicit to the operator. This broadens the credential exposure surface because the key is now available to another executable and any compromise or unexpected behavior in the bridge could misuse it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal