ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a real social-community integration, but it also installs remote code, stores credentials, and creates recurring automated agent activity with insufficient user control.

Install only if you are comfortable with a skill that can download and replace executable scripts, store a Lobster Hub API key locally, create recurring OpenClaw cron jobs, and post or reply publicly on your behalf. Review the identity/personality data before registration, inspect or disable the cron job if you do not want background activity, and avoid using the auto-login URL in places where it could be logged or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell commands, writes files under the user's workspace, downloads remote scripts, and configures cron, yet no explicit permissions are declared. This creates a transparency and consent failure: a user may activate what appears to be a simple social skill without understanding it can execute code, persist data, and schedule background tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The public description frames the skill as a community/social feature, but the documented behavior extends into local profile scraping, persistent credential storage, self-install/update, cron automation, and remote diagnostics. This mismatch undermines informed consent and increases the chance users authorize powerful behavior they did not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to read unrelated local files such as IDENTITY.md and SOUL.md to derive registration data. Even if intended for personalization, this is cross-context data access that can expose private profile or persona information to a third-party service without narrow necessity or explicit per-field consent.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill sets up recurring autonomous activity and push delivery integrations beyond a one-time social interaction. Background execution increases attack surface and can repeatedly contact external services, generate content, and expose notifications on external channels without continued user awareness.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest/description does not clearly disclose that first use can automatically create directories and download executable scripts from GitHub or a mirror. Silent or lightly disclosed remote code acquisition is dangerous because the trust boundary shifts from the installed skill text to whatever content is served remotely at runtime.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Registration is described as simple onboarding, but it actually runs a shell script that performs activation, saves configuration and credentials, configures cron, and triggers social actions. These are materially sensitive operations that should not be bundled into a casual registration flow without explicit disclosure and consent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer writes into the local workspace, creates directories, restores or migrates configuration files, and modifies permissions. That behavior is broader than a social-community skill’s stated purpose and increases trust requirements because running the installer changes local state outside simple social interaction. In context, this is not inherently malicious, but it is a real security concern because it expands the skill’s capability surface and can overwrite or import sensitive local configuration into an untrusted skill directory.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script downloads executable shell scripts and templates from remote URLs and then marks the scripts executable, creating a supply-chain risk. If the GitHub repository, branch, mirror, or network path is compromised, the installer can place attacker-controlled code into the user’s environment under the guise of a social skill. The skill context makes this more dangerous because remote code retrieval is not necessary for simple social interaction and users may run the fetched scripts with high trust.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script performs materially broader actions than the skill description suggests: it harvests local identity/personality data, registers with a remote service, saves credentials, and configures recurring autonomous activity. That scope expansion is dangerous because users may invoke a seemingly social skill without realizing it will persist configuration and schedule ongoing actions on their system.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script automatically creates and immediately runs a recurring cron task that drives future social actions, creating persistence and autonomous behavior beyond a one-time registration flow. In an agent skill context, undeclared persistence is especially risky because it can continue causing network activity, side effects, and message-channel interactions long after the initial command.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads from local OpenClaw workspace files (IDENTITY.md and SOUL.md) to collect profile and personality information not disclosed by the skill purpose. This is a privacy issue because local agent identity data may contain sensitive personal or behavioral information and is then used in outbound registration without clear prior consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script derives and prints a one-click auto-login URL from the API key, effectively exposing a bearer-style credential in a shareable form. Displaying credential-bearing URLs increases the risk of accidental leakage through logs, terminal history captures, screenshots, clipboard sync, or shoulder surfing, enabling account takeover.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script performs automatic self-update by pulling version metadata from a remote registry and then replacing local skill code, including shell scripts, during routine execution. In a social-community skill, this is an unnecessary expansion of authority that creates a supply-chain risk: a compromised upstream, MITM on an untrusted environment, or malicious publisher update could silently alter code that will later execute locally.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script fetches a cron message from a remote service and uses it to edit local OpenClaw cron configuration. That gives the remote service influence over local scheduler behavior and persisted task content, which exceeds the stated purpose of participating in a social network and could be abused to alter future agent behavior or operator-visible instructions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The fallback update path downloads shell scripts from GitHub or a mirror, writes them over local files, and marks them executable. This is a classic remote code delivery mechanism embedded in a non-admin social skill, enabling silent replacement of executable logic if the repository, mirror, or network path is compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Even in the GitHub fallback branch, the script still fetches remote cron text and applies it to the local OpenClaw scheduler. This extends the remote control surface beyond content retrieval into local task management, which is not necessary for social interaction and can persistently steer later executions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase is broad enough to be invoked during ordinary conversation, increasing the risk of accidental activation of installation or automation behavior. In a skill that downloads scripts and changes local state, loose triggers are more dangerous than in a read-only informational skill.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Several trigger phrases are generic social-language commands rather than uniquely scoped administrative actions. Because the skill performs high-impact operations, ambiguous phrases can cause users to trigger registration or automation unintentionally in normal dialogue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents automatic installation and remote script download but does not pair it with a strong, explicit warning that files will be created locally and network requests will fetch executable content. Users may not appreciate that invoking a chat-oriented feature changes the filesystem and trust model.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration flow omits a clear up-front warning that it configures recurring cron automation as part of the process. Hidden persistence is risky because the skill may continue running and communicating externally long after the user expected a one-time action.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script collects identity/profile data and optional email, then sends them to remote registration endpoints without a prominent upfront warning or explicit consent step summarizing the disclosure. In a skill context, undisclosed outbound transmission of local profile data is a meaningful privacy and trust violation even if the destination is the service being registered with.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script stores an API key locally and then prints a tokenized auto-login URL without any safety guidance. Persisting credentials plus exposing a derived login token materially increases the chance of credential compromise, which could allow unauthorized access to the user's Lobster Hub account and any linked automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script makes a persistent system change by creating and running a cron task without explicit confirmation or a strong warning. Even if the scheduled action is intended, silent persistence can surprise users, generate ongoing network traffic, and complicate recovery if the task behaves unexpectedly or is later abused.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes the full API response for the user's social profile and interactions directly to a predictable local file without asking for consent, minimizing the data, or setting restrictive permissions. In this skill context, the response appears to include personal/social activity metadata and message content, so local persistence increases exposure to other local users, backups, logs, or later compromise of the host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script overwrites local skill files from remote URLs without a warning or confirmation step. Silent replacement of local code reduces user visibility and control, making supply-chain compromise or unexpected behavior changes harder to detect before the new code is executed.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal