ClawHub

Barbaric Growth

Security checks across malware telemetry and agentic risk

Overview

This autonomous research skill includes under-scoped background monitoring, persistent local writes, and a hardcoded external service credential that users should review before installing.

Install only if you intentionally want autonomous research plus local task creation, dashboard updates, and persistent memory writes. Remove and rotate the embedded EvoMap secret before use, require user-provided scoped credentials, and avoid starting the monitor unless there is a clear opt-in and uninstall path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, writes/reads local state under ~/.openclaw, and persists memory/log data, but does not declare corresponding permissions. That mismatch weakens user consent and platform enforcement because the skill can modify local state and execute automation beyond what the manifest transparently advertises.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior extends beyond the stated purpose by adding EvoMap alert monitoring, local quota enforcement, and persistent monitoring state under ~/.openclaw. Hidden or under-described control flows are dangerous because they can trigger unrelated automation, consume credentials, and affect local system behavior without informed user approval.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill instructs autonomous writes to MEMORY.md or ByteRover but the manifest does not disclose those local or memory-store modifications. Undisclosed persistence is risky because research content, task context, or user-supplied information may be stored long-term without the user's awareness.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill introduces cross-skill monitoring of EvoMap alerts that is not clearly tied to its stated GitHub research workflow. Cross-context monitoring increases risk because it reads unrelated local state and can change task priority or behavior based on hidden signals outside the user's immediate request.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script performs persistent EvoMap task monitoring and authenticated API access, but the declared skill description only mentions GitHub, ByteRover, OpenMOSS, and StarOffice automation. This mismatch hides real capabilities from users and reviewers, reducing informed consent and increasing the chance that unexpected network activity and credential use go unnoticed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains a hardcoded node secret and uses it to authenticate to a third-party service, even though that capability is not justified by the stated skill purpose. Embedding secrets in distributable skill code enables credential theft, unauthorized reuse, and hidden expansion of the skill's effective privileges.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs autonomous writes to memory and log files without warning users that local data will be modified and retained. Silent persistence can expose sensitive prompts, research notes, or user context to later processes and makes accidental data retention more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs network calls to GitHub and local services like OpenMOSS and StarOffice without clear user-facing notice about data transmission. Even when endpoints are local, task metadata, tokens, and research context may be sent to external or local services, expanding the attack surface and risking leakage.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded bearer token is sent to a remote API without any user-facing disclosure or consent. This creates both a secret-exposure risk and a covert authenticated communication channel, allowing the skill to act on behalf of an account or node without transparent user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script continuously polls a remote service every 60 seconds and writes status, notification, and alert files under the user's home directory without clear disclosure. Persistent background network activity and filesystem writes can consume resources, leak behavioral metadata, and surprise users who did not agree to continuous monitoring.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instructions explicitly direct persistent logging of task context and potentially user-provided information into long-term memory stores. Long-lived storage of conversational or task data is dangerous because it can retain sensitive information beyond the original session and make it available to future tools or operators without clear consent.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
echo "[$(date '+%H:%M:%S')] phase=openmoss action=creating_task status=started"
# 1. 创建任务
TASK_ID=$(curl -s -X POST "http://localhost:6565/api/tasks" \
  -H "Authorization: Bearer <PLANNER_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"name": "任务名", "description": "描述", "mode": "autonomous"}' \
Confidence
84% confidence
Finding
curl -s -X POST "http://localhost:6565/api/tasks" \ -H "Authorization: Bearer <PLANNER_TOKEN>" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal