ClawHub

agent-wake

Security checks across malware telemetry and agentic risk

Overview

This skill transparently wakes an OpenClaw agent through the local gateway, but users must treat wake messages and the gateway token as sensitive.

Install only if you want trusted local automation to wake your OpenClaw agent. Keep the gateway token private, avoid committing .env files, keep the gateway local or otherwise access-controlled, enable only the cron tool you need, and do not pass raw webhook content, logs, prompts, credentials, or other untrusted text into wake messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions even though its documented behavior requires reading environment variables and local files for credentials and making authenticated HTTP requests. This under-specification hides the real trust boundary from users and reviewers, increasing the chance the skill is enabled in contexts where its network and credential access are not expected.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation/usage description is extremely broad, encouraging use from cron jobs, webhooks, alerts, and arbitrary scripts. In a skill that can inject text into an agent session and trigger an immediate response, broad activation increases the chance of accidental or unsafe use with untrusted event sources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that wake events are sent over HTTP and become a system message, but it does not present this as a prominent security warning or explain the implications. Users may unknowingly forward sensitive data or untrusted text into a highly privileged instruction channel.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup guide instructs users to retrieve a gateway token from a local config file and place it into a `.env` file or CI environment, but it does not warn that this token is a sensitive credential or describe basic handling precautions. In this skill's context, the token appears to authorize gateway access and enabling the `cron` tool over HTTP increases the value of that credential, so careless storage or logging could let an attacker invoke gateway functionality remotely.

Ssd 1

High
Confidence
99% confidence
Finding
The skill explicitly says the event text is injected as a system message, which creates a direct semantic prompt-injection channel from external scripts or services into the agent's highest-priority context. If any upstream producer is compromised or user-controlled, an attacker can steer agent behavior, cause data disclosure, or trigger unsafe actions in the target Discord channel.

Ssd 1

High
Confidence
98% confidence
Finding
The documentation encourages users to craft wake text that the agent will 'act on,' effectively advertising an instruction channel for behavior redirection. In this context, the skill's purpose is to wake an agent automatically, so coupling wake-up with arbitrary action-oriented text makes external prompt injection especially dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal