CrabPet

Security checks across malware telemetry and agentic risk

Overview

CrabPet is a real pet feature, but it reads historical OpenClaw memory logs to infer habits and saves shareable derived activity data, so it needs review before installation.

Install only if you are comfortable with the skill reading your OpenClaw memory logs and turning your activity history into persistent pet stats and shareable cards. Review generated cards before sharing, and consider avoiding the PNG card path unless you accept local Chrome execution and a possible Google Fonts request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Use Chrome headless to take screenshot png_str = str(output_png_path) try: proc = subprocess.run( [ chrome_bin, "--headless",
Confidence: 94% confidence
Finding: proc = subprocess.run( [ chrome_bin, "--headless", "--disable-gpu", "--no-sandbox", "--screenshot="

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes Python scripts and instructs the agent to read and write local files, yet it declares no corresponding permissions or user-visible capability boundaries. This creates a mismatch between what the skill can do and what reviewers or users may expect, increasing the risk of unauthorized filesystem access or shell execution through the skill runtime.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill reads full workspace memory log contents and performs keyword/personality analysis over them, which exceeds the minimum data needed for a pet-status feature. This creates a privacy issue because sensitive conversation content is ingested and processed to derive behavioral traits without minimization or clear boundaries.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The card-generation flow invokes an external browser to open a generated local HTML file and screenshot it, introducing a larger attack surface than necessary for a cosmetic feature. Because it relies on local file rendering and process execution, any compromise in the HTML/template or browser environment can have effects outside the intended pet-card logic.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly states the skill reads existing OpenClaw memory logs, which may contain sensitive conversation history, but it does not warn users about the privacy implications or describe scope, consent, retention, or minimization. In this skill context, accessing memory files is central to functionality, which makes the omission more dangerous because users may install it expecting a harmless pet feature rather than one that analyzes historical data.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The documentation shows that pet_state.json and generated pet cards are auto-created on disk, including potentially shareable output, but it does not warn users that behavioral summaries derived from usage history will be persisted. In context this is lower severity than raw memory access, but still risky because these files can expose activity patterns, personality inferences, and other metadata if shared or left on disk unintentionally.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger phrases are broad enough that normal conversation about pets could activate the skill unexpectedly. Unintended activation matters here because the skill reads user-derived logs and may generate personalized summaries without the user specifically asking for that behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill computes pet state and personality from conversation-derived memory and daily logs, but the description does not clearly warn users that their past interactions are being analyzed for profiling. This lack of transparency can lead to non-consensual behavioral inference and surprise data use beyond what a casual 'pet companion' description suggests.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The design explicitly uses daily logs, long-term memory, and session records as inputs to infer pet traits and growth, but it does not describe informed consent, data minimization, or user-visible privacy warnings. Because these sources can contain sensitive behavioral and personal information, repurposing them into a gamified feature creates a real privacy risk even if the intent is product engagement rather than abuse.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The sharing-oriented design encourages screenshots and public display of pet state derived from user activity, but it does not warn that those outputs may expose usage patterns such as inactivity windows, work habits, personality inferences, or streaks. That makes accidental disclosure of behavioral metadata likely, especially because the feature is framed as inherently social and viral.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Daily summaries and pet cards are described as reflecting what the user did, including examples like how many scripts they wrote, which directly derives outward-facing content from prior activity. Without disclosure boundaries or review controls, this can leak sensitive work patterns, project context, or personal habits to anyone who sees the generated output.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill reads and analyzes memory logs without clearly informing the user that workspace conversation data will be accessed for this feature. In context, this is dangerous primarily as a privacy and consent failure: users asking for a pet card would not reasonably expect broad inspection of historical memory content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill persists derived profile/state data and exports card files to disk without clearly warning the user. This can leak behavioral summaries, achievement history, and pet metadata to local storage or shared directories, especially if the generated files are later uploaded or synced.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Headless Chrome is launched without an explicit user warning, which matters because it is an external executable unrelated to the core expectation of a simple pet-status command. The danger is less about command injection here and more about undisclosed process execution and expanded attack surface on the host.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill is designed to derive behavioral summaries from conversation memory and daily logs, effectively profiling the user's habits and activity patterns. In this context, the danger is elevated because the feature is framed as a playful pet, which can obscure that it is performing historical analysis on user content.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The engine scans log contents for keywords to infer personality traits such as coder, writer, analyst, and activity intensity, which is a form of behavioral profiling based on prior interactions. This becomes more dangerous because the inferred profile is persistent and can reveal sensitive patterns about work habits, interests, or routines that users may not expect to be extracted from logs.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The core design instructs the skill to read multiple internal data stores and repurpose them into pet state, summaries, and cards without defining consent boundaries, retention limits, or strict minimization. This is a true privacy-by-design issue because the system expands the use of sensitive conversational data beyond its original context into profile generation and potential external sharing.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The daily summary feature semantically directs inspection of prior conversations to report what the user did, which creates a disclosure channel from private interaction history into a user-facing summary that may be shared or observed by others. In this skill context, the gamification and social-sharing goals increase the chance that such derived disclosures leave the original private context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal