ClawHub

IsItWater

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for checking coordinates with the IsItWater API, with the main caution being ordinary API-key handling.

Install only if you are comfortable giving the skill access to an IsItWater API key. Prefer the ISITWATER_API_KEY environment variable when possible, avoid sharing logs or config files that contain the key, and restrict file permissions on ~/.openclaw/openclaw.json if you store the key there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Session Persistence

Medium
Category
Rogue Agent
Content
1. Check if `ISITWATER_API_KEY` is set in the environment.
2. If it is **not** set:
   - Inform the user: "You need an IsItWater API key. You can get one at https://isitwater.com"
   - Offer to help them sign up using the browser tool — navigate to https://isitwater.com, create an account, and generate an API key from the dashboard.
   - Once the user has a key, guide them to configure it in `~/.openclaw/openclaw.json`:

```json
Confidence
80% confidence
Finding
create an account, and generate an API key from the dashboard. - Once the user has a key, guide them to configure it in `~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal