ClawHub

black-box

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud audit-logging skill, but it overstates log durability and handles sensitive logs and database credentials with weak safeguards.

Install only if you are comfortable sending agent action, error, and possible reasoning content to a TiDB-backed cloud database. Prefer your own least-privilege TiDB credentials, avoid logging secrets or private prompts, protect or remove ~/.openclaw_black_box_dsn, and do not rely on this as tamper-proof or permanent compliance evidence without additional controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while its documented behavior and requirements clearly imply access to environment variables, local file read/write, and shell execution. This under-disclosure is dangerous because it prevents informed consent and hides capabilities that can exfiltrate secrets, persist state locally, or invoke external commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill markets itself as providing 'indestructible audit logs' but the documented behavior includes auto-provisioning a remote database, reading logs back, accepting arbitrary user-supplied content, and storing data in a normal mutable table with no evident tamper-proof controls. This mismatch is dangerous because users may trust it with sensitive agent reasoning or compliance evidence under false assumptions about immutability, scope, and data handling.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill advertises indestructible TiDB Zero audit logs, but it will silently use arbitrary MySQL credentials from environment variables or a cached local DSN file instead. This breaks the security model users are led to trust, allowing logs to be redirected to mutable or attacker-controlled storage where they may be altered, deleted, or observed.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads database credentials from environment variables and persists a DSN locally even though the stated purpose is just writing audit logs. These extra capabilities expand the attack surface and can capture or retain sensitive credentials without clear user consent or necessity.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The comments claim a security fix and SSL usage, but the connection call does not configure TLS parameters or enforce certificate verification. Users may believe log transport is protected when credentials and audit data could actually traverse the network unencrypted or without authenticating the server.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol instructs the agent to send its intent and status to the cloud before high-risk actions or on unrecoverable errors, but it provides no user-facing notice, consent, or data-minimization guidance. Because this logging occurs specifically around sensitive operations like `rm`, `sudo`, and `deploy`, it can expose operational details, commands, errors, and possibly sensitive context to an external service without the user's awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly says it streams critical actions, errors, and reasoning chains to a persistent cloud database, but it does not present a prominent warning about sensitive data leaving the local environment. In the context of agent tooling, reasoning traces, actions, and error payloads can contain credentials, personal data, proprietary prompts, or other confidential material, making silent cloud export especially risky.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes a DSN containing database credentials to a predictable local file in the user's home directory without permissions hardening or disclosure. Local attackers or other processes may read the file and gain persistent access to the backing database, compromising confidentiality and integrity of audit logs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill silently makes an outbound network request to provision infrastructure, which is a significant side effect for a logging utility. In agent contexts, undisclosed network egress can violate trust boundaries, create unapproved external resources, and leak usage metadata.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Reading sensitive environment variables without disclosure is risky in an agent skill because it broadens access to secrets beyond the minimum expected for the advertised task. Even if the values are only used locally, this behavior can unexpectedly bind the skill to privileged infrastructure and undermine user trust.

Session Persistence

Medium
Category
Rogue Agent
Content
## Security & Provisioning
1.  **Bring Your Own Database (Recommended):** Set `TIDB_*` environment variables.
2.  **Auto-Provisioning (Fallback):** If no credentials are found, this skill uses the TiDB Zero API to create a temporary database for logging. The connection string is cached in `~/.openclaw_black_box_dsn`.

## Why use this?
*   **Crash Survival:** Local logs vanish when containers crash. Cloud logs persist.
Confidence
89% confidence
Finding
create a temporary database for logging. The connection string is cached in `~/.openclaw_black_box_dsn

Unpinned Dependencies

Low
Category
Supply Chain
Content
pymysql
Confidence
96% confidence
Finding
pymysql

Known Vulnerable Dependency: pymysql — 1 advisory(ies): CVE-2024-36039 (PyMySQL SQL Injection vulnerability)

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
pymysql

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal