ClawHub

Tool Governance

Security checks across malware telemetry and agentic risk

Overview

This tool-safety skill is mostly purpose-aligned, but it asks for powerful hook behavior that can rewrite commands, change git state, and persist error details with uneven disclosure and inconsistent instructions.

Review before installing. Only enable these hooks in repositories where automatic command blocking, command rewriting patterns, and git stash checkpoints are acceptable. Treat the shared-context state files as potentially sensitive, and check hook configuration carefully so failure tracking and rollback behavior actually run on the intended events.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation says error tracking and rollback are triggered on PostToolUseFailure, but the usage example registers a PostToolUse hook instead. In a governance skill, this ambiguity is security-relevant because rollback or failure counting may not trigger as intended, causing destructive actions to proceed without recovery or repeated failing commands to evade the circuit breaker.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The deny example states blocking occurs after 3 failures, while the policy elsewhere says 3-4 failures should only inject additionalContext and hard blocking starts at 5. This inconsistency can lead implementers to deploy stricter or looser controls than intended, undermining reliability and potentially causing denial-of-service against legitimate operations or failure to stop unsafe retry loops.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The rollback pattern changes repository state in ways users may not expect: `git add -A` stages tracked and untracked files, and the later `git reset HEAD` / stash workflow can affect index state and restoration semantics. Because the document recommends automatic rollback after tool failure without a prominent warning or guardrails, users may suffer confusing state changes, lost staging intent, or incomplete recovery when Bash side effects extend beyond git-tracked content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly recommends using PreToolUse `updatedInput` to directly rewrite a tool command before execution, framing it as more reliable than advisory context. In a tool-governance skill, this is risky because it enables silent substitution of the user- or agent-intended command with a different command path, which can introduce unreviewed installs, destructive side effects, or policy bypass without an explicit confirmation boundary.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script persists per-session denial history under ~/.openclaw/shared-context/sessions without any disclosure, consent check, retention control, or minimization. Although the stored data is limited to tool name, count, and timestamp, it still creates an undeclared behavior-tracking record that could expose user or agent interaction patterns to other local processes or later operators of the same account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists tool failure details, including the tool name, truncated error text, and a hash of tool input, into a per-session file under the user's home directory without any disclosure, consent, minimization, or access-control checks. In this skill context, failures may include sensitive paths, tokens, prompts, or operational details, so silently retaining them increases the chance of unintended data exposure to other local processes, users, or later components that read shared session state.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal