ClawHub

Openclaw Master Skills Clawhub Pkg

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only catalog of skills, not executable code, but some listed skill descriptions are broad and should not be treated as permission to install or run everything automatically.

Treat this package as an index, not as approval for every listed skill. Before installing linked skills, inspect the specific skill files, especially anything involving credentials, wallets, browser or desktop automation, memory, social posting, email, background updates, or bulk file changes; require explicit confirmation before installing or granting those capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The README advertises multiple skills with imperative trigger language like 'MUST use' or 'use whenever' without narrow boundaries, which can bias an agent toward invoking powerful skills inappropriately. In a large skill pack containing automation, browser, filesystem, messaging, and credential-related capabilities, overly broad routing guidance increases the chance of unnecessary tool access, privilege expansion, or unsafe autonomous behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
A description that says to use a PDF skill for any PDF-related request creates an overly aggressive dispatch rule, even when a safer or simpler local operation would suffice. Because PDFs often contain sensitive documents and can trigger extraction, editing, OCR, or external tooling, this broad trigger can cause over-collection or unintended processing of confidential data.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Mandating a spreadsheet skill for any spreadsheet-related task is too broad because many spreadsheet tasks vary widely in risk, from harmless summarization to bulk modification of sensitive financial data. This kind of blanket routing can push an agent to invoke file-writing or parsing tools unnecessarily, increasing the chance of data corruption, oversharing, or unintended changes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Requiring a skill for any network request or data-fetching task is especially risky because it effectively broadens that skill's authority across a huge class of operations. In a skill ecosystem with external APIs and live web access, such wording can lead to excessive outbound requests, data exfiltration opportunities, unexpected credential use, or invocation of the wrong integration for sensitive traffic.

Vague Triggers

Medium
Confidence
94% confidence
Finding
A requirement to use a brainstorming skill before any creative work is overly broad and can hijack routine tasks by forcing unnecessary tool/skill selection. In an agent setting, this kind of universal precondition can interfere with normal instruction following, create routing conflicts, and expand the attack surface by invoking extra components without clear need.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal