ClawHub

Raon OS

Security checks across malware telemetry and agentic risk

Overview

This skill’s sensitive behavior is mostly disclosed and aligned with its startup-analysis purpose, but users should treat submitted business plans as potentially sent to configured AI/API services.

Install only if you are comfortable letting this tool process startup plans locally and through whichever LLM/API endpoints you configure. Use trusted RAON_API_URL, OLLAMA_URL, Supabase, and widget data-api values; avoid uploading confidential PDFs to deployments without a privacy policy; protect ~/.openclaw/.env with restrictive permissions; and set webhook/API secrets before exposing the server publicly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Tainted flow: 'OLLAMA_URL' from os.environ.get (line 69, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
def _ollama_available() -> bool:
    """Ollama 서버 응답 여부 확인 (3초 타임아웃)."""
    try:
        urllib.request.urlopen(f"{OLLAMA_URL}/api/tags", timeout=3)  # nosec B310
        return True
    except Exception:
        return False
Confidence
90% confidence
Finding
urllib.request.urlopen(f"{OLLAMA_URL}/api/tags", timeout=3) # nosec B310

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The help text advertises substantial capabilities beyond the declared startup-companion scope, including serving an HTTP API, software/model installation, valuation, and evaluation tracking. Scope expansion is dangerous because users may invoke administrative or network-exposed functionality they did not expect from the manifest, undermining least surprise and review assumptions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The install-model path can install software and pull multi-GB models onto the host, which is a privileged side effect unrelated to business-plan analysis. Even if user-invoked, bundling package installation into this skill increases the attack surface and may lead to unauthorized software changes or supply-chain exposure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The install/uninstall commands invoke a separate script to register a launchd service for automatic startup, creating persistence on the user's machine. Persistence mechanisms are security-sensitive and outside the stated startup-advisory purpose, so hiding them behind this CLI materially increases risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script automatically imports arbitrary unset variables from a generic ~/.openclaw/.env file, not just the specific keys needed for this tool. This broad environment ingestion can unintentionally pull in sensitive credentials or alter runtime behavior in ways users did not consent to, especially in a shared agent environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The widget collects sensitive user-entered business-plan text and entire uploaded PDF contents, then transmits them to a remote backend defined at runtime via a configurable API URL. Because this is a client-side embeddable widget and the data includes confidential startup materials, sending it to an arbitrary endpoint materially increases the risk of unauthorized disclosure, interception, or misuse beyond what users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads document.currentScript.dataset.api and uses it directly as the destination for all submitted text and base64-encoded PDF data. Any page embedding the widget can therefore redirect sensitive submissions to an attacker-controlled server, effectively turning the widget into a data exfiltration component.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to expose a local service through ngrok and register it as a public Kakao webhook endpoint, but it does not warn that this makes the development server externally reachable. In this skill context, the endpoint may process founder conversations and business-plan data, so accidental public exposure can leak sensitive data or invite unsolicited requests during testing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example webhook payload includes a persistent user identifier and the guide states that conversation history is retained by user.id for up to 20 turns, yet there is no privacy notice, minimization guidance, or retention warning. Because this startup-assistant skill may handle financing, business, and personal founder information, undocumented identifier-based session tracking raises privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code forwards user-provided startup information to an external LLM module when startup_info is present, but there is no visible consent, disclosure, redaction, or policy guard before transmission. Startup descriptions can contain sensitive business plans, financial data, founder identities, or proprietary information, so sending them off-process can create confidentiality and privacy exposure even if no direct code execution occurs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reset path overwrites user_profile.json immediately with default content and provides no confirmation, warning, backup, or undo mechanism. If this command is invoked accidentally or surfaced through an agent wrapper/tool call, it can cause irreversible local data loss for the user's accumulated profile state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Executing service installation and removal without a prominent warning or confirmation can cause users to unknowingly modify system startup configuration. In a skill presented as a business assistant, that mismatch in user expectation makes the behavior more dangerous and easier to abuse socially.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module sends chat messages and text content to third-party APIs (OpenRouter, Gemini, Anthropic, OpenAI) without any built-in consent gate, warning, or data-classification check. In a startup-companion skill, users may provide business plans, financials, or other confidential founder data, making silent external transmission materially risky.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The server persists user evaluation and feedback data to local files such as history.jsonl without any visible consent, notice, retention control, or access protection in the request flow. Because submitted business plans and feedback may contain confidential startup information, silent local storage creates privacy and data-governance risk if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The feedback pipeline forwards user comments plus cached evaluation context, including portions of submitted plan text and model output, to an external SaaS endpoint when RAON_API_URL and RAON_API_KEY are set. Sending potentially sensitive business data to a third party without an explicit user-facing warning or opt-in materially increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends up to 3000 characters of input text to an external LLM via `chat(prompt_to_messages(extract_prompt))` without any notice, consent, redaction, or data-classification checks in this file. If users provide unpublished government notices, internal business plans, or sensitive founder data, that content may be disclosed to a third-party model provider and retained or logged outside the user's expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When keyword matching fails, the code forwards up to 1000 characters of user-supplied startup description text to `raon_llm.chat`, which is an external model interface, without any visible consent, notice, or data-minimization policy. In this skill context, users may include confidential business plans, financial details, or proprietary startup ideas, so undisclosed transmission can cause privacy leakage and unintended exposure of sensitive business information.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide explicitly documents sending free-form text, model identifiers, and Base64-encoded PDF contents to remote API endpoints, but it does not mention consent, data sensitivity, retention, logging, or privacy handling. In a startup/funding context, uploaded business plans and PDFs are likely to contain confidential financial, strategic, or personally identifiable information, so the omission increases the risk of inadvertent sensitive-data disclosure by integrators and end users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The widget sends user-entered business plans and uploaded PDF contents to backend API endpoints, but the UI does not clearly disclose that data will be transmitted off-device or processed remotely. Because this skill handles potentially sensitive startup and funding information, users may unknowingly submit confidential materials, creating privacy and trust risk even if transport security is present.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Conversation history is stored in localStorage without any user disclosure or controls. localStorage is persistent and accessible to any script running on the same origin, so sensitive startup ideas, plans, and evaluations may remain on a shared device or be exposed if the origin later suffers XSS or third-party script compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The widget sends user-entered text and base64-encoded PDF contents to a configurable remote API endpoint without any explicit privacy notice, consent prompt, or clear disclosure in the UI. Because this skill is designed for startup founders submitting business plans and financial materials, the transmitted data is likely commercially sensitive, increasing the risk of unintended disclosure to third-party services or misconfigured endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The UI invites users to paste business plans or attach PDFs, but provides no visible privacy notice, transmission warning, retention policy, or indication of where the data is sent. In this startup-advisory context, users are likely to submit proprietary financial, technical, or fundraising information, so lack of informed consent and disclosure creates meaningful confidentiality and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal