ClawHub

WatchClaw

Security checks across malware telemetry and agentic risk

Overview

Watchclaw is a coherent watchdog tool, but its normal install path runs unpinned remote code and installs unreviewed executables for a daemon that can change gateway config and restart services.

Install only if you are comfortable trusting and reviewing the GitHub source at install time. Prefer pinning the installer and downloaded files to a specific commit or release and verifying checksums before use. Run it only against a dedicated, backed-up OpenClaw config repo, restrict write access to watchclaw.conf, and avoid custom alert commands unless the config file is protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The manifest exposes shell execution capability through its installer but does not declare permissions accordingly. This weakens trust boundaries and prevents users or enforcement layers from understanding that the skill can run arbitrary shell commands during install, increasing the chance of unsafe execution in sensitive environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as a watchdog/recovery utility, but the documented installer also downloads and executes remote code, installs binaries, alters permissions, and writes local files. That mismatch can mislead users about the true attack surface and cause them to approve a skill without realizing it performs privileged install-time actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The manifest includes a curl-pipe-bash installer that fetches a script from a remote repository and immediately executes it. This is dangerous because any compromise of the upstream repository, network path, or referenced script content results in arbitrary code execution on the user's machine during installation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes automatic use of git stash and git revert to recover from failures, but does not prominently warn that repository state and working tree contents will be modified. In a config repository, this can discard operator context, overwrite intended changes, or trigger cascading operational outages if recovery actions run unexpectedly.

External Script Fetching

Low
Category
Supply Chain
Content
{
              "id": "curl",
              "kind": "shell",
              "command": "curl -fsSL https://raw.githubusercontent.com/jarvis4wang/watchclaw/main/install.sh | bash",
              "bins": ["watchclaw"],
              "label": "Install watchclaw (curl)",
            },
Confidence
98% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/jarvis4wang/watchclaw/main/install.sh | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal