ClawHub

Last30Days Community Intelligence for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This research skill is not clearly malicious, but it uses high-impact local session credentials and persists research data in ways users should review before installing.

Install only if you are comfortable with a research tool using local X browser cookies or AUTH_TOKEN/CT0, reading Codex login credentials as an OpenAI fallback, sending search topics/URLs to third-party services, and retaining reports/findings locally. Prefer explicit API keys where possible, keep the secrets file private, avoid sensitive topics unless you are comfortable with persistence and provider disclosure, and review/delete the local data directory periodically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Tainted flow: 'MODEL_CACHE_FILE' from os.environ.get (line 29, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""Save model selection cache."""
    ensure_cache_dir()
    try:
        with open(MODEL_CACHE_FILE, 'w') as f:
            json.dump(data, f)
    except OSError:
        pass
Confidence
90% confidence
Finding
with open(MODEL_CACHE_FILE, 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 52, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# Raw responses
    if raw_openai:
        with open(OUTPUT_DIR / "raw_openai.json", 'w') as f:
            json.dump(raw_openai, f, indent=2)

    if raw_xai:
Confidence
79% confidence
Finding
with open(OUTPUT_DIR / "raw_openai.json", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 52, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
json.dump(raw_openai, f, indent=2)

    if raw_xai:
        with open(OUTPUT_DIR / "raw_xai.json", 'w') as f:
            json.dump(raw_xai, f, indent=2)

    if raw_reddit_enriched:
Confidence
79% confidence
Finding
with open(OUTPUT_DIR / "raw_xai.json", 'w') as f:

Tainted flow: 'OUTPUT_DIR' from os.environ.get (line 52, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
json.dump(raw_xai, f, indent=2)

    if raw_reddit_enriched:
        with open(OUTPUT_DIR / "raw_reddit_threads_enriched.json", 'w') as f:
            json.dump(raw_reddit_enriched, f, indent=2)
Confidence
82% confidence
Finding
with open(OUTPUT_DIR / "raw_reddit_threads_enriched.json", 'w') as f:

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README explicitly states that every run auto-saves a complete briefing into ~/Documents using a topic-named file. That creates persistent local copies of potentially sensitive research queries and outputs in a user-visible directory without emphasizing the privacy implications up front, increasing exposure through backups, sync services, shared machines, and accidental disclosure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This helper goes beyond ordinary per-skill configuration loading by inspecting a global Codex auth file, extracting an access token, decoding its JWT payload, and reading a ChatGPT account identifier. Even if used for convenience, that behavior expands the skill's access to unrelated host authentication state and increases the blast radius if the skill or downstream code mishandles the returned config.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Storing raw OpenAI, xAI, and enriched Reddit payloads on disk exceeds what is necessary to render end-user reports and creates avoidable confidentiality and privacy exposure. In this skill's context, the raw payloads may include prompts, scraped content, metadata, or model output that users would not expect to be retained verbatim.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file implements direct extraction of X/Twitter authentication cookies from Safari, Chrome, Firefox, CLI args, and environment variables, then assembles them into a reusable Cookie header. That is credential-harvesting capability: anyone able to invoke this code can obtain session tokens that may allow account access or impersonation. Given the skill’s stated purpose is research/briefing, this capability is not necessary and materially increases the chance of unauthorized account access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to provide X authentication cookies or tokens and references reading browser cookies, but it does not warn that these credentials are highly sensitive and may grant account access. In this context, the danger is elevated because the skill also uses filesystem storage and shell-based setup, increasing the chance that secrets are mishandled, persisted insecurely, or exposed through logs, scripts, or misconfigured permissions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Advertising automatic saving to ~/Documents without an immediate caution can mislead users into running sensitive research topics under the assumption that results are ephemeral. Because Documents is commonly indexed, backed up, or cloud-synced, this can unintentionally leak research subjects and synthesized content beyond the local session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions normalize pulling active X session credentials from browser cookies or manually exporting AUTH_TOKEN and CT0, but do not prominently warn that these are live session secrets. Exposure of those values can let anyone reuse the user's X session, potentially leading to account takeover, impersonation, or unauthorized access to private account capabilities.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically loads and uses multiple API keys and session tokens to contact third-party services, with broad source auto-detection and no explicit runtime consent before outbound transmission. In a skill context, that increases the chance a user triggers network access with sensitive topics or account-linked credentials without fully understanding which services will be contacted.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends the user-provided search topic to ScrapeCreators, a third-party service, without any evidence in this file of user notice, consent flow, or data-minimization guardrails. In a research skill, users may enter sensitive topics, proprietary company names, or internal investigations, so silent exfiltration of queries to an external API creates a real privacy and compliance risk even if it is part of intended functionality.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The transcript enrichment call sends Instagram reel URLs to ScrapeCreators without any explicit disclosure in this file. Although the URLs are typically public Instagram links rather than direct user secrets, they still reveal what content the user is investigating and create an additional third-party data-sharing path beyond the initial search.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends user-supplied search topics and Reddit post URLs to a third-party service (ScrapeCreators) for search and comment retrieval. In a research skill this may be functionally intended, but without clear user consent, disclosure, or data-minimization controls it creates a genuine privacy and data-handling risk, especially if users search for sensitive topics or private watchlist subjects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends user-supplied search topics and TikTok video URLs to ScrapeCreators, a third-party service, during search and transcript enrichment. Even if functionally intended, this is a genuine privacy/data-sharing issue because potentially sensitive research queries and accessed content are disclosed externally without any user-facing notice, consent flow, or data-minimization controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The UI text explicitly tells users that Bird 'reads your browser cookies automatically' to authenticate to X. Browser cookies are privacy- and session-sensitive credentials, and presenting this behavior without an explicit consent, scope, or security warning normalizes credential harvesting behavior and may cause users to unknowingly grant access to authenticated sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code accesses sensitive browser cookies and environment credentials without any explicit consent prompt, warning, or user-facing disclosure in this file. Silent credential access is dangerous because users may not realize the skill can read local authenticated session material, making accidental misuse or covert collection more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code logs the full article payload and associated note_tweet object when the BIRD_DEBUG_ARTICLE environment variable is set. Those objects can contain large amounts of scraped or user-derived content and metadata, so enabling debug mode can leak sensitive or regulated data into logs, which are often broadly retained and accessible in production-like environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The watchlist runner automatically fetches external content for arbitrary topics and persists normalized findings into storage, but the CLI does not provide a clear consent notice, retention notice, or warning that third-party content and metadata will be stored locally. In a research aggregation skill that collects data from multiple platforms, this increases privacy, compliance, and operator-surprise risk, especially if sensitive topics or personal data are queried and retained unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to read and then update a persistent local context file for user preferences and source notes, but it does not require obtaining explicit user consent or notifying the user that local state will be modified. This creates a privacy and integrity risk because the skill can silently retain, alter, or accumulate user-specific data across sessions in a way the user may not expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to run a script against external sources and persist findings with `--store`, but provides no user-facing disclosure or consent flow about what data may be collected, retained, or reused. In a research workflow, user prompts can contain sensitive interests, company names, investigations, or watchlist subjects, so silent persistence creates a real privacy and data-governance risk even if the command itself is fixed and not obviously injectable.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal