ClawHub

智能盯盘

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide market alerting, but it uses an external WebSocket service, a secret token, and email/phone notification data with weak disclosure and an insecure ws:// connection.

Review this skill carefully before installing. Only use it if you understand which backend receives your watch requests and contact details, can supply a narrowly scoped token, and are comfortable with email or phone alerts. The ws:// transport should be fixed to encrypted wss:// before using real credentials or personal contact information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill references an environment variable (`OPENCLAW_WS_TOKEN`) and describes runtime behavior that depends on external connectivity, but the manifest does not declare corresponding permissions or clearly disclose that secret-backed external access is required. Undeclared capability use weakens reviewability and can cause the agent framework or users to grant more trust than warranted, especially for a skill that sends data to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose understates important behavior: the skill can transmit alerts through email and phone-call channels and connects to a hardcoded external WebSocket backend. This mismatch is security-relevant because users and platform reviewers may believe the skill only performs in-chat monitoring, while it can export user data/contact details and trigger outbound communications via an undisclosed third-party service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes email and phone-call delivery channels with hardcoded example recipient fields, which expands it from passive market monitoring into outbound communications involving potentially sensitive destinations. In an agent-skill context, this can enable unintended notification sending, abuse of paid call channels, or disclosure of trading alerts to third parties if user consent and destination validation are not enforced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accepts email addresses and phone numbers for notification delivery, including outbound call initiation, but provides no warning about transmitting contact data to external services or the privacy/safety implications of automated calls. In context, this is more dangerous because the skill is designed to act on conversational requests, so a user may casually provide contact details without informed consent about data handling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
A sensitive token is used to authenticate a WebSocket connection over plain ws:// rather than encrypted wss://. This exposes the credential and market-monitoring traffic to interception or manipulation by any attacker on the network path, which is especially risky because the token likely authorizes backend actions such as submitting watch demands or receiving trigger events.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal