ClawHub

Clawpilot

Security checks across malware telemetry and agentic risk

Overview

ClawPilot is a coherent OpenClaw helper, but it needs review because it can run local/network checks and inspect sensitive OpenClaw configuration and session data.

Install only if you trust the publisher and are comfortable with an OpenClaw-focused skill that may run local bash scripts and read sensitive OpenClaw data. Approve update checks, config scans, prompt scans, and transcript scans deliberately; avoid sharing raw audit output because it may include secrets, private chat content, or internal paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to perform network access and shell execution (`bash scripts/...`, fetching GitHub/docs/web CVE data) but does not declare permissions or boundaries for those capabilities. In a skill package, undeclared powerful capabilities are dangerous because they hide the true trust requirements from users and tooling, increasing the chance that a high-privilege skill is invoked without appropriate review or sandboxing.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README states that the AI agent will 'automatically load the skill when you ask about OpenClaw' without clearly constraining activation rules. In an agent-skill ecosystem, vague auto-activation language can encourage overly broad matching and unintended invocation on loosely related prompts, increasing the chance that untrusted skill instructions or bundled scripts influence conversations outside the intended scope.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Chinese README repeats the same broad claim that the agent will automatically load the skill for OpenClaw-related questions, again without precise scope limits. Duplicating the ambiguity across languages increases the likelihood of inconsistent or overbroad activation behavior and makes accidental invocation more likely for multilingual users or systems.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation shows a live-looking secret field (`auth.token: "your-secret"`) directly in configuration examples while only warning elsewhere about env vars for some credentials. In a gateway product that handles remote channels and authentication, this can normalize storing bearer secrets in config files that are often committed, copied into tickets, or exposed via backups and support bundles.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The file documents shell-command execution capability (`commands.bash` and related settings) without a nearby warning that enabling it grants message-triggerable system command execution. In the OpenClaw context, which connects chat platforms to agents, this materially increases the risk of remote abuse, privilege misuse, and host compromise if turned on without strict access controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Telegram example advertises `configWrites: true` without warning that chat-originated events may modify runtime configuration remotely. In a self-hosted AI gateway with broad channel integrations, remote config mutation can be chained into persistence, weakening auth, enabling tools, or rerouting behavior if Telegram account or bot access is compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal