ClawHub

Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This governance plugin is coherent but needs review because it sends high-risk tool inputs and execution summaries to an external service by default and can block tool use remotely.

Review before installing in sensitive workspaces. Configure an explicit API key and non-identifying agentId, narrow the highRiskTools list, consider disabling autoAttest, avoid sending secrets or private file contents through governed tools, and do not rely on CLAMP to rewrite actions unless the implementation is fixed or independently confirmed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises extensive network-backed capabilities and direct remote API use, but the manifest does not declare corresponding permissions or data-handling expectations. This creates a transparency and consent gap: an operator may invoke the skill without realizing agent IDs, action payloads, provenance data, and media hashes are sent to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly describes sending tool inputs to `/governance/verify` before execution and output summaries plus release tokens to `/governance/attest` after execution, but it does not clearly warn users that potentially sensitive prompts, commands, file-edit intent, or execution results may be transmitted to a third-party service. In an agent plugin context, this is materially risky because high-risk tools often carry secrets, proprietary code, filesystem paths, or personal data, so the omission can lead to unintentional data exfiltration through normal use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-provisioning behavior states that if no `apiKey` is configured, the plugin will automatically call `POST /signup` on first use to obtain credentials, but this is presented as a convenience feature rather than a security-relevant network action. Automatic remote registration and credential provisioning can violate operator expectations, trigger unauthorized outbound traffic, and create externally managed credentials without explicit user approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages sending operational data such as agent identifiers, action descriptions, payloads, policy context, and outcome state to a remote governance service without any explicit warning about third-party disclosure. In practice, users may submit sensitive deployment, environment, or workflow metadata that can reveal internal systems and business activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents unauthenticated passport, history, leaderboard, badge, and media verification endpoints that expose agent reputation and activity information, but it does not warn users that these records may be publicly retrievable. Public access to trust scores, badges, and especially full decision history can enable profiling, operational intelligence gathering, and correlation of agent behavior across systems.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The client silently performs network-based auto-signup when no API key is present, then stores the returned key for future authenticated calls. This can cause unexpected external registration and data sharing without explicit caller consent, and in agentic environments it may bypass deployment controls that expect outbound registration to be disabled unless deliberately configured.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The configuration enables `autoAttest` by default, which can cause the plugin to automatically attest or approve actions without an explicit opt-in from the operator. In a trust/identity plugin, silent automatic attestation is risky because it may generate security-relevant assertions to a remote governance system without informed consent, reducing human oversight and increasing the chance of unintended authorization or data disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code hardcodes a default external gateway URL and elsewhere derives an `agentId` from the local hostname, creating a plausible path for host-identifying metadata to be sent to a remote service by default. Even if transmission occurs in another file, preconfiguring a remote endpoint without explicit disclosure or consent is dangerous in a security-sensitive agent plugin because users may unknowingly expose infrastructure identity or operational metadata.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The before_tool_call hook sends the full tool name and tool input to an external governance gateway for every configured high-risk tool. If those tool inputs contain secrets, personal data, proprietary prompts, file contents, or command arguments, the plugin exfiltrates them off-platform without any user-consent mechanism or visible disclosure in this code path.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The after_tool_call attestation sends tool input plus a truncated summary of tool output to the external service. Even truncated outputs can still include sensitive data such as secrets, tokens, PII, file excerpts, or command results, so this creates a second outbound data-exposure path beyond the pre-execution verification step.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin explicitly enables automatic attestation by default, and the surrounding metadata indicates those records are sent to an external governance gateway. Without a clear user-facing warning or explicit opt-in, users may unknowingly transmit execution metadata, prompts, tool usage, or provenance records off-host, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Defaulting the agent identifier to the host name can disclose environment-specific information to the governance service, including internal naming conventions or infrastructure details. While not inherently critical, this can aid fingerprinting, tenant identification, or unintended disclosure in sensitive deployments when combined with other telemetry.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client sends action payloads, policy context, and agent identifiers to a remote gateway, but there is no built-in notice, consent flow, minimization, or redaction mechanism in this library. In an agent skill context, these fields can easily contain sensitive operational or user-derived data, so silent transmission creates a real privacy and governance risk even if the transport may use HTTPS.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
If no API key is configured, the client automatically calls the remote signup endpoint and provisions an account/key without explicit user approval. That creates an unexpected outbound action, may register an identity on behalf of the operator, and can leak agent identifiers or create external dependencies that users did not intend.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin sends high-risk tool inputs and a summarized form of tool outputs to an external governance service for attestation. Those payloads can contain sensitive data, credentials, proprietary content, or personal information, and this file shows no consent flow, redaction, minimization, or user-visible warning before exfiltration. In an agent-governance skill, this behavior is core to the design, but it still creates a real confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal