ClawHub

Klemenska Security Auditor

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-scanning tool with some accuracy and reporting limitations, but no evidence of hidden exfiltration, persistence, destructive behavior, or unrelated privilege use.

Install only if you want a local advisory scanner for OpenClaw skills. Run it on specific skill directories rather than broad or sensitive paths, review generated reports before sharing because they can include source-line snippets, and do not treat a clean result as a complete security review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool intentionally skips auditing itself, creating a blind spot in a security product whose stated purpose is to detect risky skills. That means a compromised or malicious version of this skill can evade its own checks and mislead users into trusting incomplete scan results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal