ClawHub

Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

Kevros is a disclosed governance plugin, but it sends sensitive tool-call data to a third-party service by default and can let that service block local actions.

Install only if you intentionally want third-party governance logging for high-risk agent tools. Set an explicit non-sensitive agentId and API key, consider advisory mode for evaluation, disable autoAttest where sensitive outputs may appear, and avoid using this with secrets, customer data, private file contents, or regulated workloads unless the gateway’s retention, access, and compliance posture has been reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents that tool inputs and output summaries are sent to a remote governance gateway for verification and attestation, but it does not prominently warn users that potentially sensitive commands, arguments, and execution results will leave the local environment. In an agent context, these payloads may contain secrets, file paths, customer data, or operational details, so lack of clear disclosure creates a real privacy and data-handling risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The auto-provisioning feature causes outbound network traffic to a remote signup endpoint when no API key is configured, but the documentation does not clearly warn users that installation/use may trigger automatic registration. While less severe than transmitting tool payloads, this still creates an unexpected external connection and service enrollment behavior that users should knowingly opt into.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin sends high-risk tool inputs to the external Kevros governance gateway during verification, and later sends input plus an output summary during attestation. Those payloads may contain secrets, personal data, proprietary prompts, or command results, yet the code shows no minimization, redaction, or user-consent mechanism before exfiltrating them to a third party. In an agent-governance skill, this behavior is contextually expected, but it is still risky because the very tools marked high-risk are the ones most likely to process sensitive material.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly states that post-execution attestation sends truncated tool output to a remote gateway, but it does not present a clear user-facing disclosure of what data may leave the local environment or the privacy/security consequences. Because high-risk tools include shell and file-editing operations, even truncated output can contain secrets, credentials, file contents, or sensitive operational context, making undisclosed transmission materially risky.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The default configuration enables `autoAttest` by default, which means tool activity may be sent to a remote governance service without explicit opt-in at the configuration point. In an agent/security product this can expose operational metadata, prompts, tool usage, or provenance records to an external service unexpectedly, creating privacy, compliance, and data-handling risks if users are unaware.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Using the system hostname as the default `agentId` can leak host-identifying information to the governance backend, especially in enterprise or personal environments where hostnames encode usernames, asset tags, or internal naming conventions. Because this identifier is used for governance tracking, the plugin context makes the issue more sensitive: the data is likely transmitted and retained remotely as part of a trust/identity workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin sends high-risk tool inputs and a summary of tool outputs to an external governance gateway during attestation, but this file provides no user-facing notice, consent gate, or redaction step. Because tool inputs/outputs can contain secrets, personal data, or sensitive operational content, this creates a real data exfiltration/privacy risk even if the gateway is intended for security governance.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly sends full tool input payloads before execution and sends a truncated natural-language output summary after execution to an external gateway. Even with hashing of stored payloads, the transmission itself can expose secrets, personal data, credentials, prompts, or proprietary content to the remote service, and the 500-character summary increases the chance of sensitive data leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal