ClawHub

Expert Library Plus Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed local installer for an expert-library prompt system, with setup hardening issues but no evidence of hidden or harmful behavior.

Install only if you are comfortable with a local Python installer writing to ~/.openclaw/experts and creating backups there. Review the installer first, avoid using --no-backup unless you intend to skip protection, and require explicit confirmation before any install, update, rollback, or overwrite action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
verify_path = Path(__file__).parent.parent / "verify.py"
    if verify_path.exists():
        print("\n🔍 Verifying installation...")
        os.system(f"python {verify_path}")
    
    print("\n🎉 Expert Library Plus is ready to use!")
    print("Try: '请专家帮我设计一个产品'")
Confidence
90% confidence
Finding
os.system(f"python {verify_path}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to download, install, verify, back up, update, and write files under user directories, which implies shell, environment, and file-write capabilities, yet no permissions are explicitly declared. This creates a dangerous mismatch between advertised behavior and security boundaries: an agent may perform filesystem and command execution actions without transparent consent or least-privilege controls, increasing the risk of unintended modification, overwrite, or execution of untrusted content.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The installer launches a second Python process during installation, which is broader execution capability than strictly required for copying files. In this case it appears intended for post-install verification, but spawning a separate interpreter through the shell adds avoidable execution risk in a trusted installation path.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage guidance includes natural-language activation like "请专家帮我...", which is broad enough that normal conversation may unintentionally trigger the skill without a clear boundary between informational discussion and operational install/management actions. In a skill that can install software, update content, and modify files, ambiguous triggering raises the chance of accidental invocation of sensitive behaviors or confusing delegation to the skill in the wrong context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal