ClawHub

qclaw-watchdog

Security checks across malware telemetry and agentic risk

Overview

This watchdog mostly matches its purpose, but it ships real-looking Feishu credentials and exposes remote chat commands that can start, restart, or quit QClaw without visible sender authorization.

Review before installing. Replace and revoke the bundled Feishu credentials, ensure the bot only accepts commands from trusted sender or chat IDs, avoid enabling background or LaunchAgent startup until that is verified, and treat restart/quit commands as service-disrupting operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as a watchdog that alerts and auto-restarts QClaw, but the code also exposes a remote command interface over Feishu and sends routine status messages. Expanding from alerting into remote control increases attack surface and creates capability mismatch, especially if any inbound message from the chat channel can trigger operational actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code permits a remote chat command to terminate QClaw, which can be abused for denial of service if an unauthorized or spoofed message is processed. In a watchdog context, quit capability is more dangerous than health restoration because it directly disables the protected service rather than maintaining availability.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented remote control commands include state-changing operations such as restart, start, and quit, but the documentation does not clearly warn that remote messages can interrupt service availability. In a watchdog that accepts commands via Feishu, unclear disclosure increases the risk of unsafe deployment or accidental operational disruption.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill advertises automatic restart and one-click update behavior without a prominent warning that these actions can cause downtime or introduce unintended code changes. Auto-update is especially sensitive because it may fetch and run newer code from a remote source, expanding supply-chain and change-control risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The watchdog automatically starts, restarts, and quits a local application and writes operational data to disk, but these side effects are not clearly disclosed in the interface or bounded by explicit consent. This can surprise operators, cause unintended process manipulation, and create local privacy or integrity risks through persistent logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Incoming message content is logged verbatim to disk, which may capture sensitive operational commands or personal data from chat. Persistent plaintext logging increases exposure if the host is shared, backed up insecurely, or later accessed by other local users/processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal