ClawHub

Openclaw Skill Ansible

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw mesh-operations skill, but it grants broad deployment and command authority with controls that are too under-scoped for automatic trust.

Install only in a controlled operator environment. Keep high-risk gates disabled by default, restrict allowed callers to authenticated operators, review any plugin or skill artifact source before use, and avoid host execution of downloaded artifact scripts unless separately sandboxed and approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The spec permits real-environment apply operations after either PR approval or a `kind: "decision"` message, but it does not define a concrete authentication, authorization, or anti-spoofing mechanism for verifying that approval actually came from the owner. In a multi-agent messaging system, vague approval semantics can let a compromised or spoofing agent trigger production changes, undermining the claimed safety guarantees.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module presents itself as a secure dispatcher, but its authorization model is partly controlled by environment variables that can broaden the caller allowlist or enable high-risk actions at runtime. In environments where an attacker, wrapper process, CI job, or misconfigured orchestrator can influence environment variables, these controls can be weakened or bypassed without code changes, undermining the trust implied by the security claim.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script downloads an externally supplied archive, extracts it directly into a live skills directory, and then executes a bundled test_smoke.sh script from that archive. Although HTTPS, a SHA-256 check, and a feature flag reduce accidental misuse, this still creates a direct path from task input to filesystem modification and arbitrary code execution if a malicious or incorrectly trusted artifact is approved.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal