ClawHub

control-plane

Security checks across malware telemetry and agentic risk

Overview

This skill is a real third-party control-plane connector that openly performs broad SaaS syncing and mutations, but its default bridge and logging rules are powerful enough that users should review it carefully before installing.

Install only if you intentionally want Emperor Claw to be a remote system of record for your OpenClaw work. Use a least-privilege workspace token if available, avoid putting secrets or private user data in tasks/chat/memory/artifacts, review who can access the Emperor workspace, and do not run the bridge against production unless automatic task claiming, checkpointing, and chat posting are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file header states the bridge 'does not implement planning or execution logic by itself', but the implementation still performs active control-plane behavior: it claims tasks, writes task notes, checkpoints session state, updates chat status, and sends messages. This mismatch is dangerous because operators may run the example expecting passive/reference behavior, while it can mutate production state and autonomously take ownership of work items.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The comment describes the block as an example stub to be replaced by real runtime logic, but the surrounding code still starts the bridge, opens sessions, heartbeats, syncs control-plane state, sends a 'Bridge online' message, and can claim tasks. That framing lowers operator suspicion and increases the chance that test/example code is executed against real infrastructure, causing unintended state changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill explicitly directs persistent syncing of chat history, checkpoints, tasks, artifacts, and scoped resources to a third-party SaaS using a company API token, but it provides no clear user-facing warning about privacy, retention, or data transmission consequences. In context, this is more dangerous because the skill positions the SaaS as the system of record and encourages continuous websocket/session activity, creating a real risk of silent exfiltration of sensitive operational and conversational data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to send a bearer company token and also states that the companion persists a local state journal, but it does not warn about secure handling, storage, redaction, or least-privilege use of credentials and sensitive task data. In a control-plane API for an AI workforce, this omission increases the chance that implementers log tokens, persist sensitive state insecurely, or expose business data through local journals and debugging flows.

Ssd 3

Medium
Confidence
97% confidence
Finding
These guidelines repeatedly require agents to log every material thought, message, decision, blocker, and state change to a shared team chat with no stated data-minimization, access-control, or secrecy exceptions. In a control-plane and checkpointing system for an AI workforce, this creates a strong risk of leaking sensitive user data, credentials, internal reasoning, security-relevant context, or other confidential operational details into broadly accessible logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal