ClawHub

OpenClaw Safety Guard

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward wrapper for a summarization CLI, with expected use of user-provided URLs/files and optional AI or extraction provider keys.

Install only if you trust the summarize CLI and its Homebrew source. Treat any URL, file, or YouTube content you summarize as potentially shared with the selected AI provider and optional fallback services; do not use it on confidential or regulated material unless those providers are approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The metadata slug is "summarize" while the skill is described as a safety-guard scanning tool, creating an identity mismatch between what the package claims to be and what users or systems may expect. This can enable confusion, misrouting, incorrect policy handling, or concealment of a skill's true purpose, which is especially risky for a security-related tool where trust and accurate classification are important.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages scanning URLs, local files, and YouTube links, and it references external model providers plus fallback services, but it does not clearly warn users that submitted content may be transmitted off-host for third-party processing. This creates a real privacy and data-handling risk because users may unknowingly send sensitive documents, internal URLs, or regulated content to external services.

Missing User Warnings

Low
Confidence
87% confidence
Finding
Listing credential environment variables is common, but doing so without any guidance on secure storage, least privilege, or the privacy implications of using those providers can lead to careless handling of secrets and uninformed data disclosure. In this skill, the risk is amplified because those credentials enable transmission of user-supplied content to third-party AI services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal