ClawHub

Doc Collaboration Watcher

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its document-watching purpose, but it ships a plaintext ClawHub publishing token and uses broad default monitoring/notification behavior that users should review before installing.

Review this version before installing. The publisher should revoke and rotate the exposed ClawHub token, remove it from the package and history, and add explicit privacy controls. Before running the watcher, limit monitored documents to non-sensitive files, disable or restrict automatic channel use, and check where change-history or memory records are stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The publish guide includes what appears to be a live ClawHub API token directly in plaintext shell commands. Anyone with access to this document can reuse the credential to publish, modify, or otherwise act against the associated ClawHub account, making this a direct secret exposure rather than a theoretical issue.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown not only exposes a credential but presents it as normal usage without any warning, masking the severity of handling a production secret in documentation. In the context of a published skill guide, this increases the likelihood of broad dissemination and opportunistic abuse because readers may copy or retain the leaked token.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes zero-config behavior that automatically reads `~/.openclaw/config/openclaw.json` and uses all enabled channels for notifications, but it does not present a clear consent, privacy, or blast-radius warning. In a collaboration-monitoring skill, this can lead users to unknowingly broadcast document-change metadata across multiple messaging systems, increasing information disclosure and operational surprise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that OpenClaw memory integration is enabled and that change events are stored, but the default data retention behavior is not highlighted as a prominent warning in the setup flow. Even if document contents are not stored, filenames, timestamps, actors, and change metadata can still be sensitive and create an unexpected audit trail or privacy exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is designed to monitor documents, log changes, and automatically broadcast updates across multiple messaging channels, yet the documentation contains no warning about potential leakage of document contents, metadata, or collaboration activity. In a multi-agent workspace, this can cause unintentional disclosure of sensitive file names, paths, timing, and possibly content-derived summaries to broader audiences than intended.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The examples expose absolute local filesystem paths and file:// URLs, which reveal host-specific information such as usernames, directory structure, and workspace layout. While not immediately critical on their own, these details aid fingerprinting and social engineering and may expose sensitive internal environment information if notifications are shared externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal