ClawHub

claw-negotiate

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real SAFE negotiation workflow, but it needs Review because it can create recurring cron jobs and handles sensitive negotiation, Telegram, and signing data with broad local and remote access.

Review before installing. Use it only on a dedicated OpenClaw host with a dedicated Telegram bot and sshsign keys, avoid shared machines, set private per-chat state/output directories, and inspect or remove OpenClaw cron and system crontab entries after testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented behavior clearly uses environment variables, filesystem reads/writes, networked Telegram interactions, shell execution, and external tooling. This under-declaration prevents informed consent and weakens sandboxing or policy enforcement, making it easier for a powerful skill to be installed or invoked with more access than users expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose presents a bounded negotiation workflow, but the described implementation appears to do substantially more: persistent profile storage, cron/background jobs, key and token creation, PDF generation, local state tracking, and operator/admin flows. This mismatch is dangerous because reviewers and users may approve the skill for a narrow business purpose while it silently obtains long-lived persistence, broader operational control, and sensitive credential-handling capabilities.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file includes operator/admin-style capabilities such as doctor, manifest, operator-setup, status, and smoke that go beyond the end-user SAFE negotiation flow. These commands expand the attack surface by exposing deployment metadata, session diagnostics, and configuration-management behaviors that can leak operational details or be abused if the skill is callable by untrusted users.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill can install and edit persistent cron jobs via both OpenClaw cron and system crontab. Persistence mechanisms are high-risk because they create long-lived background execution on the host, which can survive beyond a single user interaction and be repurposed for unauthorized recurring actions if the skill or its invocation path is abused.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The status path exposes broad session diagnostics including member roles, Telegram identifiers, bot handles, round state, and delivery information. In a negotiation skill, this is sensitive operational and identity data that could aid enumeration, privacy violations, or workflow interference if accessible to ordinary users or other tenants.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The dispatch section includes broad trigger phrases such as 'cancel, stop, abort' and generic negotiation/profile requests, which can cause accidental invocation from ordinary conversation rather than intentional command use. In a skill that can revoke negotiations, write files, launch long-running workflows, and interact with Telegram and signing flows, unintended triggering can disrupt active deals or start sensitive actions without clear user intent.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The function decodes a base64 signature image and writes it to a named temporary file on disk before embedding it in the PDF. Even though cleanup is attempted, the image may be exposed to other local users, backup/indexing systems, crashes, or forensic recovery, which is risky because handwritten signatures are sensitive biometric-like artifacts in a document-signing workflow.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The function writes sensitive artifacts, including JWTs and files labeled as private keys, to disk in a negotiation directory without setting restrictive permissions or warning callers about persistence. In a multi-user environment or on systems with permissive default umask, these files could be exposed to other local users or unintentionally retained, enabling token misuse or leakage of negotiation secrets.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code transmits negotiation constraints to a remote host via an SSH subprocess without any explicit consent, disclosure, or trust-boundary validation. In this skill context, the constraints can encode commercially sensitive deal terms, so silently sending them to an external service increases confidentiality risk and can violate user expectations or policy requirements.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code stores a pending negotiation message containing identity and deal terms in a fixed shared /tmp path. /tmp is commonly world-readable within the host context and is unsuitable for sensitive business or identity data, creating a local information disclosure risk and potential cross-session mix-up.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code sends negotiation metadata and Telegram identifiers to a remote sshsign service via create_session, join_session, and update_session_member_text without any consent check, minimization, or visible disclosure at the point of transmission. Even if this is expected product behavior, it creates a privacy and data-governance risk because personally identifying information and deal context are exported to an external service automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal