ClawHub

Infinite Oracle

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as an autonomous background worker, but it gives that worker persistent local control, external Feishu syncing, and high-priority free-form override channels that users should review carefully before installing.

Install only if you intentionally want a long-running autonomous worker. Use a sandboxed workspace and low-privilege accounts, avoid entering OTPs, payment, identity, or other secrets into logs, backlog, overrides, or Feishu fields, and inspect SOUL.md, AGENTS.md, ~/.openclaw/peco_override.txt, logs, and Feishu permissions before starting the loop. Prefer the reviewed ClawHub package over the live Git one-shot install and stop the background process when the task is no longer active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly discusses handling SMS verification codes, bank-card linkage, facial scan blockers, and preserving Feishu app credentials, but does not provide a clear privacy and secrets-handling warning next to those flows. In an agentic system that writes logs, spreadsheets, and backlog files, this can lead to sensitive data being stored in plaintext, over-retained, or exposed to the wrong agent/session.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation rule uses 'anything equivalent to' instead of a tightly bounded trigger phrase list, which creates prompt-matching ambiguity and increases the chance of accidental or adversarial activation. In this skill, activation leads to persistent agent creation, file mutation, and background process startup, so loose triggering materially raises risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Feishu section directs the manager to collect app credentials and operate on external tracking documents, but it does not provide a clear privacy warning, data-handling notice, or scoping limitation to the user. This is dangerous because users may disclose secrets or authorize syncing of sensitive task data without understanding retention, exposure, or third-party transfer implications.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill normalizes persistent logging of overrides, unresolved human tasks, loop activity, manager notifications, and Feishu-linked records, creating a broad data-retention surface for user inputs and potentially sensitive operational context. Because this persistence spans local files and optional external sync, it increases the likelihood of unintended disclosure, over-retention, and secret spillage.

Ssd 4

Medium
Confidence
84% confidence
Finding
The skill instructs the manager to inject and repeatedly reinforce a 'durable desire anchor' in SOUL.md so the worker acts from an enduring motive rather than the current user task. This is a form of persistent behavioral steering that can outlast the user's immediate intent and bias future planning in ways the user may not notice or revoke easily.

Ssd 3

High
Confidence
97% confidence
Finding
Human-provided task resolutions from Feishu and local overrides are merged into override_text and then injected into the next model prompt as authoritative control input. Because these external texts are not validated, schema-checked, or privilege-separated, anyone who can influence those sources can steer the agent's behavior, bypass normal intent boundaries, or induce unsafe actions.

Ssd 1

High
Confidence
98% confidence
Finding
The prompt explicitly labels the override block as 'HIGHEST PRIORITY', giving free-form text semantic precedence over the system contract and loop policy. In an autonomous orchestration skill, this creates a prompt-injection control channel where any actor able to write override content can redirect behavior, suppress safeguards, or manipulate workflow decisions.

Ssd 4

Medium
Confidence
80% confidence
Finding
The manager-notification flow forwards internal pause details to a second model, which then generates a human-facing request. This creates an additional prompt-processing hop where unsafe or attacker-influenced content can be transformed, amplified, or socially engineered into escalation messages, especially because the details field may contain model-derived text and blocker descriptions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal