ClawHub

Share use case

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it drafts a public OpenClaw use-case submission from recent chat context, asks for review, and optionally attaches public-profile attribution.

Install only if you are comfortable with the assistant reviewing recent chat context to draft something that may become public. Before submitting, remove secrets, client names, internal URLs, unreleased plans, or private business details. Choose anonymous submission if you do not want a Twitter/X or GitHub identity attached.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to mine recent conversation history and turn it into content for submission to a third-party site without a clear privacy warning or explicit, informed consent for each data element used. This can expose sensitive project details, business context, secrets, or personal information that appeared in prior messages but were never intended for public sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The OAuth attribution flow and subsequent submission send user identity and authored content to third-party services, yet the skill lacks a prominent disclosure of what identity data is collected, stored, and published. This is risky because users may connect social accounts without understanding that usernames, handles, links, and submission content will be transmitted and potentially made public.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill defaults to inspecting recent conversation history and packaging details into a public community submission, which creates a substantial risk of oversharing confidential or proprietary information. Because the destination is a public showcase, any mistaken extraction can lead to irreversible disclosure of internal workflows, customer details, or unreleased product information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal