ClawHub

clawnedhub - Scan and Security your OpenClaw Instances

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Clawned security-dashboard agent, but users should understand it sends installed-skill inventory and basic host details to Clawned.

Install only if you trust Clawned with your installed-skill inventory, hostname/OS metadata, and any source or URL information you explicitly scan. Keep CLAWNED_SERVER set to the intended Clawned service, avoid scanning directories that may contain secrets, and enable cron or watch mode only if you want ongoing sync behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'req' from os.getenv (line 24, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(f"{CLAWNED_SERVER}{endpoint}", data=body, method=method,
        headers={"Authorization": f"Bearer {CLAWNED_API_KEY}", "Content-Type": "application/json"})
    try:
        with urllib.request.urlopen(req, timeout=60) as resp:
            return json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        print(f"[!] API error {e.code}: {e.read().decode() if e.fp else ''}"); sys.exit(1)
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises operational behaviors that require access to environment variables, local files, and the network, but it does not declare corresponding permissions in the manifest. This creates a transparency and trust problem: users and host platforms cannot accurately reason about what the skill can access, and a security-sensitive skill that inventories other skills and uploads results increases the risk of unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The documented purpose says the skill inventories installed skills, analyzes them, and syncs results, but the analyzed behavior reportedly extends to host registration, transmission of hostname/OS information, change watching with automatic re-sync, status reporting about registration state, and remote submission of GitHub or derived skill URLs. That mismatch is dangerous because it obscures data collection and network behavior from users, reducing informed consent and making covert or excessive telemetry harder to detect in a security-branded tool.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Agent registration sends the local hostname and operating system to a remote service without an execution-time disclosure or consent prompt. This creates an unnecessary privacy and asset-enumeration leak: hostnames often encode usernames, device roles, or internal naming conventions that aid targeting. Given the skill's purpose of inventorying installed security-related content, silent collection of host identity is more sensitive than in a generic telemetry client.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The sync command uploads discovered skill metadata, including owner, slug, display name, and version/commit information, without prominently informing the user at runtime. This leaks an inventory of installed skills to a remote server, which can reveal internal tooling, security posture, or sensitive custom skills and can be valuable for profiling or targeted attacks. In the context of a security agent, undisclosed exfiltration of local inventory is especially risky because users may expect inspection, not transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal