ClawHub

Clawned - Protect your OpenClaw Instance and Scan Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Clawned security dashboard helper that inventories OpenClaw skills and syncs metadata, with some expected privacy considerations.

Install only if you trust Clawned with your installed-skill inventory plus basic host registration details such as hostname and OS. Keep CLAWNED_SERVER pointed at a trusted endpoint, use scan --path only for skill directories you are comfortable analyzing, and enable cron/watch/daemon modes only if you want ongoing monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Tainted flow: 'req' from os.getenv (line 29, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Authorization": f"Bearer {CLAWNED_API_KEY}", "Content-Type": "application/json",
                 "User-Agent": "ClawnedAgent/1.0"})
    try:
        with urllib.request.urlopen(req, timeout=60) as resp:
            return json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        print(f"[!] API error {e.code}: {e.read().decode() if e.fp else ''}"); sys.exit(1)
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises significant capabilities—environment access, file access, network use, and likely local state writes—without any explicit permission declaration in the manifest. That makes the trust boundary unclear to users and reviewers, increasing the chance of unintended data exposure or overbroad execution in an agent marketed as a security tool.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior frames the skill as a local security analyzer, but the analyzed behavior indicates additional actions such as background monitoring, host registration, remote syncing, and server-side scan orchestration. This mismatch is dangerous because users may grant trust and install the skill expecting limited local analysis, while it actually performs broader persistence, telemetry, and external data exchange.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal