ClawHub

Demo Slap

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent CS2 highlight-rendering integration with expected API use, local runtime state, and disclosed OpenClaw delivery helpers.

Install only if you are comfortable providing a Demo-Slap API key, optionally a Leetify API key, sending match/demo data to those services, and allowing OpenClaw completion notifications that may include chat IDs and clip URLs. In shared environments, review or clear the skill's data directory after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
first_url = next(iter(clip_urls.values()))
    event_text = f"[demo-slap] Render done. JobID: {job_id}. ChatID: {chat_id}. Clip URL: {first_url}. Watchdog should send media to ChatID."
    try:
        subprocess.run(["openclaw", "system", "event", "--text", event_text, "--mode", "now"], check=True)
    except Exception as e:
        print(f"⚠️  System event failed: {e}")
Confidence
91% confidence
Finding
subprocess.run(["openclaw", "system", "event", "--text", event_text, "--mode", "now"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires access to environment variables, local files, shell execution, and network services, but it does not declare permissions in a way that transparently informs or constrains the agent/runtime. That mismatch is dangerous because it enables broad operational capability without explicit consent boundaries, increasing the chance of secret exposure, unintended file modification, or external requests being made implicitly.

Context-Inappropriate Capability

Medium
Confidence
71% confidence
Finding
The script emits a host-level system event through an external openclaw CLI after finishing demo analysis, which extends the skill's effects beyond its stated purpose of analyzing demos and returning highlights. Even without shell injection, this creates an unnecessary cross-boundary side effect that can leak metadata such as chat_id and job status to another subsystem and increases the blast radius if the skill is triggered unexpectedly or abused.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill performs an out-of-band system event emission unrelated to its core purpose of rendering clips, which expands its effective capability beyond what users would reasonably expect. Because the event contains render output and routing metadata, it can be used to exfiltrate data or trigger privileged automation in another component (`Watchdog`/`openclaw`) without clear user consent.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The documentation understates the script's side effects by claiming it only polls, outputs URLs, and writes progress, while the code also emits a system event to another tool. This mismatch is dangerous because hidden behaviors reduce operator awareness, undermine review, and make it easier for unexpected data disclosure or cross-system triggering to go unnoticed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends replay URLs, match/job identifiers, and chat-related metadata to external services and also persists runtime state locally, but the description does not clearly warn users about this data flow. This is risky because users may unknowingly expose personal identifiers, gameplay history, or chat routing metadata to third parties and leave residual local state containing operational details.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends clip URLs and `chat_id` through a subprocess-triggered system event, exposing operational metadata and potentially sensitive media links to another subsystem without explicit user notice or consent. In this skill context, the risk is elevated because render URLs may grant direct access to generated media and chat identifiers can be used for message routing or correlation across systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal