ClawHub

New Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to create OpenClaw messaging agents, but it handles live bot credentials and broad agent-to-agent access with too little user control or security guidance.

Review before installing. Use only test or scoped bot credentials at first, avoid pasting production tokens into chat, keep manifests and openclaw.json out of version control, restrict file permissions, and rotate any token that was exposed in prompts, logs, or shared files. In batch mode, be aware that all created agents are automatically allowed to interact through agent-to-agent tooling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script automatically adds every created agent to tools.agentToAgent.allow, expanding privileges beyond the stated purpose of provisioning agents and binding them to messaging channels. This increases lateral interaction capability for all new agents without explicit operator consent, which can broaden the blast radius if one agent is misconfigured, prompt-injected, or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to paste a live Telegram bot token into an agent prompt, which can expose credentials to the LLM, prompt logs, chat history, telemetry, or downstream tools the agent invokes. In the context of an agent-creation skill that handles messaging integrations, this is more dangerous because users are likely to follow the example verbatim and provide production secrets through a channel that may not be designed for secure secret handling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells users to place live bot tokens and app secrets directly into openclaw.json without any guidance on secret storage, file permissions, redaction, or rotation. Storing production credentials in plaintext configuration materially increases the risk of credential leakage through source control, backups, logs, screenshots, or over-broad filesystem access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The batch manifest example embeds plaintext appSecret values for multiple agents, concentrating sensitive credentials in a portable file with no warning about secure handling. A manifest like this is especially risky because it is easy to reuse, share, commit to version control, or leave behind after execution, exposing several accounts at once.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script persists bot tokens and app secrets from the manifest directly into the long-lived openclaw.json configuration without warning, confirmation, or any protection mechanism. Storing credentials on disk is sometimes necessary, but doing so silently raises the risk of credential exposure through weak file permissions, backups, accidental commits, or multi-user hosts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal