ClawHub

Huo15 Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real knowledge-base skill, but users should review it because its privacy and isolation boundaries are weaker than advertised.

Review before installing. Use it only with documents that may be stored locally and sent to your configured LLM provider, check which models.json credentials it will use, and start with a test agent. Avoid running the all-agents activation script unless you intentionally want kb folders created across every agent, and review any lint or compile edits before keeping them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises no declared permissions, yet its documented behavior requires environment access, file reads/writes, and network operations. This creates a trust and review gap: operators may approve or invoke the skill without understanding that it can access API keys, fetch remote content, and modify local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose claims strict per-Agent isolation, but the described broader behavior includes cross-agent batch activation, external LLM API access using configured keys, and some processing targeting the skill installation directory rather than the agent-local KB directory. This mismatch is dangerous because users may rely on isolation guarantees that do not actually hold, leading to data leakage, unintended cross-agent modification, or exfiltration to third-party services.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads provider credentials from local configuration and directly performs outbound API calls, which expands the skill's effective privileges beyond what the manifest describes. In a knowledge-base compiler, this means prompt contents and potentially sensitive source material can be transmitted off-box without clear disclosure, creating an unexpected data-exfiltration path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Although the skill description claims per-agent isolation, the loader falls back to ~/.openclaw/agents/main/agent/models.json, which is outside the agent workspace. This breaks isolation boundaries by allowing the skill to inherit shared user-level credentials and provider settings, undermining tenant separation and making cross-agent data exposure more plausible.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Using the generic trigger phrase "知识库" is overly broad and can activate the skill during ordinary discussion rather than a deliberate command. In a skill that performs ingestion, sync, fetching, and file/network actions, accidental activation can cause unintended data copying or remote requests.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger section repeats the same broad activation phrase without narrowing conditions, reinforcing the risk of accidental invocation. Because this skill can read/write files and pull in internal or external content, ambiguous activation increases the chance of unintended side effects in normal chats.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill description does not clearly warn that ingest and sync can copy content from internal memory/reference stores or fetch external web content into the local knowledge base. Without that disclosure, users may unknowingly import sensitive or untrusted data, which can then be searched, compiled, or sent to an LLM-backed workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script copies the full contents of every raw document into a cache prompt file that is then intended to be passed to an external LLM workflow. In a knowledge-base skill, raw documents may contain sensitive internal data, so this creates a realistic data-exposure path through local cache storage and onward transmission to the model without any classification, consent, redaction, or warning.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script reads the prompt file and sends its full contents to an external LLM endpoint without any explicit user-facing notice at the point of transmission. Because knowledge-base prompts may embed raw documents, URLs, or internal notes, this can leak sensitive material to third-party services unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prepares a prompt that explicitly instructs an LLM to directly modify wiki files, then only later tells the operator to run that workflow via OpenClaw. This creates a real risk of unintended or unsafe file edits because the automation path encourages agent-driven modification of local content without a clear pre-execution warning, review gate, or sandboxing step.

VirusTotal

No VirusTotal findings

View on VirusTotal