ClawHub

Local Self-Healing Machine Learning

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent local self-healing agent, but it asks for high-impact automation while under-disclosing several network, dashboard, and executor behaviors.

Install only if you are comfortable with an agent that can read recent OpenClaw sessions, persist learning state, spawn or drive executor agents to change code, and expose diagnostics through a local web server. Keep EVOLVE_BRIDGE, EVOLVE_HUB_TASKS, auto-update, remote OLLAMA_URL values, and dashboard exposure disabled unless you explicitly need them, and bind or firewall the dashboard before using it on shared or networked machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (57)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises significant capabilities involving environment access and network-like behavior, but does not declare corresponding permissions. This creates a transparency and governance problem: users and policy engines may approve the skill under a false assumption of limited capability, increasing the chance of unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially exceeds the stated purpose of a 'fully local' ML engine and includes dashboard hosting, process spawning, command execution, file scanning, persistent device identity, and optional HTTP calls. This mismatch is dangerous because it obscures the true attack surface and may cause users to enable a skill that can inspect, modify, and orchestrate far more of the host than expected.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The claim of 'zero network calls' conflicts with documented dependence on an HTTP API endpoint for Ollama embeddings. Even if limited to localhost by default, it is still network communication and may be redirected or misconfigured to a remote host, undermining the privacy and security assurances made to users.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The documentation says the engine never calls home and makes zero network calls, yet it also exposes a localhost dashboard and relies on a browser-served interface. While local-only services are less severe than internet telemetry, they still enlarge the attack surface and can leak internal state to other local users or software if bound insecurely.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The server exposes a large internal state bundle over unauthenticated HTTP at /api/data, including memory contents, knowledge, predictor state, clusters, genes/capsules, and recent events. Although intended as a local dashboard, there is no access control, no binding restriction shown in this file, and the response is explicitly cross-origin readable, which increases the chance of unintended local data exposure to other local users, processes, or websites able to reach the service.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code reads environment-derived configuration values and includes them in the API response, leaking operational details such as local service URLs and model configuration to any client that can query the dashboard. Even if these are not always secrets, environment values often reveal internal topology and can aid reconnaissance or expose sensitive deployment details.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises a fully local engine that never 'calls home', but the implementation performs hub task fetching, task claiming, proactive question submission, and hub search. That mismatch is security-relevant because operators may enable or deploy the skill under false assumptions about network isolation and data flow, while the code can transmit signals and receive externally influenced work items.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This code writes a prompt artifact containing rich context and then emits a sessions_spawn call instructing an executor agent to apply patches and run follow-up commands. In an autonomous self-modifying system, spawning executor agents expands the attack surface from analysis into action, making prompt/data poisoning or unsafe task generation materially more dangerous.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
Even though auto-update is disabled by default, the code still contains capability to locate a CLI and execute forced updates for components from an external source. For a tool marketed as fully local, embedded self-update logic is context-inappropriate and creates supply-chain risk if enabled or misconfigured.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The code comments claim session-scope isolation to prevent cross-channel or cross-project contamination, but when no scoped match exists it silently falls back to all non-evolver sessions. That fallback can leak unrelated session content into evolution decisions and prompts, undermining the privacy boundary the code claims to enforce.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code derives a stable node identifier from machine-specific inputs (`getDeviceId()`, `AGENT_NAME`, and `process.cwd()`) and includes an environment fingerprint in `hello` messages. Even if transport is local-only, these values can still disclose host identity and system characteristics to other local processes, logs, shared directories, backups, or any later-added sync mechanism, undermining the claim that the system does not reveal machine identity.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header comments state that machine ID exposure has been removed, but the implementation still embeds a device-derived node ID and environment fingerprint in messages. This mismatch is security-relevant because it can mislead reviewers and users into trusting the component with stronger privacy guarantees than it actually provides.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims it will not reveal a machine ID, yet it generates and persists a stable device identifier and also accepts one from an environment variable. A persistent identifier enables correlation of activity across runs, and the environment override makes it easier for a deployer or surrounding tooling to inject a chosen tracking ID, undermining the privacy/security claims in the manifest.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The header comment states the identifier is local-only and not based on hardware fingerprinting, but the code also imports an identifier from an environment variable. While this is not hardware fingerprinting by itself, it weakens the 'local-only anonymous' representation because externally supplied IDs can be stable, user-linked, or centrally coordinated for tracking.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The prompt explicitly injects hub/ecosystem context and states that a wrapper will report after git push, which conflicts with the skill's claim of fully local operation. Even if this file only builds prompts, it conditions a downstream agent to perform external coordination and reporting, creating a real risk of unintended data egress and deceptive behavior toward users.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code captures an environment fingerprint and injects it into the model prompt, despite the product description promising not to reveal machine identity. Environment fingerprints can include stable host characteristics that enable tracking, correlation, or accidental leakage of sensitive local context to any model, tool, or remote pipeline that later sees the prompt.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The prompt states that the wrapper will handle reporting after git push, directly implying post-change outbound workflow inconsistent with a purely local engine. This is dangerous because it encourages a downstream agent to assume external reporting is expected and acceptable, weakening user trust and increasing the chance of silent exfiltration through adjacent components.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code explicitly builds a distillation prompt from local capsule/event data, writes a distillation request artifact, and later accepts an external LLM response to synthesize a new executable Gene. That directly contradicts the stated 'fully local' behavior and creates a data-exfiltration and remote-influence path: local operational summaries, triggers, and outcomes can be sent off-box, while untrusted model output can alter future agent behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The validator preserves model-supplied validation commands if they start with 'node', 'npm', or 'npx' and do not contain a small set of shell metacharacters. This still allows a synthesized Gene to carry executable commands into downstream execution paths, expanding the attack surface from passive learning to command execution and enabling package-script abuse or other unintended local actions if another component later runs these validations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises itself as fully local and never calling home, but this code can send diff content to an LLM reviewer and perform Hub task completion callbacks. That is a capability mismatch that can exfiltrate code and metadata off-host when enabled, undermining user trust and violating the stated security boundary.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The file imports subprocess execution and later uses it broadly to run shell commands derived from internal state and gene validation data. In a self-modifying system, command execution materially expands the attack surface because compromised or unsafe gene data can trigger destructive local actions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments state auto-publish is disabled for a local-only build, yet the code still performs Hub task completion behavior, which is an outbound integration. Even if narrower than full publish, it still violates the local-only expectation and can leak task/result metadata externally.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code builds a report that includes an environment fingerprint and explicitly states it is consumable by external Hubs or Judges, which conflicts with the skill's local-only and non-identifying claims. Even if this file does not itself transmit data, it packages host-identifying metadata into an exportable structure, creating a privacy and trust-boundary risk if other components forward or persist the report.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code advertises a fully local engine, but `OLLAMA_URL` is configurable via environment variable and is later used for HTTP requests. That means data intended for local processing can be sent to a non-local endpoint, violating the stated trust boundary and potentially exposing sensitive text to external services.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
`embedText()` POSTs raw text to `/api/embeddings` over HTTP using a configurable base URL, so any error text or other content passed in can leave the process. In the context of a skill marketed as never 'calling home,' this creates a meaningful confidentiality and integrity risk because users may supply sensitive logs, prompts, or machine data under a false assumption of local-only handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal