ClawHub

Did You Know

Security checks across malware telemetry and agentic risk

Overview

This trivia skill is coherent: it fetches public Wikipedia facts, stores local cache/preferences, and optionally creates scheduled fact-delivery or refresh jobs.

Install if you are comfortable with the skill contacting Wikipedia, keeping a local trivia cache and optional preferences in ~/.openclaw, and creating OpenClaw cron schedules if you enable automatic delivery or preference refresh. Ask for the schedule and removal instructions before enabling recurring jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill uses file read/write and network access but does not declare corresponding permissions, which undermines transparency and any permission-based review or enforcement. In this context, the behavior appears related to fetching Wikipedia content and storing cache/preferences, but hidden capabilities still increase risk because users and the platform cannot accurately assess what the skill can do.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest describes a narrow fact-fetching skill, but the instructions add preference tracking, ranking logic, tag ingestion, and background data management. This mismatch is dangerous because reviewers and users may authorize a simple trivia skill without realizing it persists behavioral data and accepts externally supplied tagging input that influences output selection.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to inspect session context for channel platform and chat ID in order to configure scheduled delivery. Accessing and reusing contextual identifiers beyond the core fact-fetching purpose creates a privacy and scope-expansion issue, especially when tied to persistent automation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill creates persistent cron jobs for delivery and refresh, which is materially broader than serving an on-demand Wikipedia fact. Persistent background execution increases attack surface and can continue operating after the immediate conversation, potentially surprising users and consuming system capabilities indefinitely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to create a delivery cron job silently and tie it to the user's current chat context, but it does not require an explicit warning that this is a persistent background task. Hidden persistence is dangerous because users may think they are approving a one-time action when they are actually authorizing ongoing automated messages.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The automated refresh job is configured to run invisibly with no user-facing delivery, which means persistent background processing can be established without obvious ongoing visibility. Even if intended to support preferences, silent recurring tasks increase the risk of covert resource use and hidden data handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal