ClawHub

Server Test Converter

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward converter, but its generated tests can run real server commands, so use only trusted command files.

Install only if you need to convert server command text files into pytest tests. Review the input .txt files and generated test_*.py files before running pytest, use a trusted test_framework.py, avoid hardcoding real SSH passwords, and keep outputs in a directory where overwriting generated tests is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger includes broad phrases like mentions of server testing or NIC testing, which can cause the skill to activate during ordinary discussion rather than an explicit request to convert files. Over-broad activation is dangerous because this skill performs file transformation and could generate or overwrite artifacts when the user did not intend to invoke it.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs writing outputs into fixed locations under /home/admin/.openclaw/tytest/ but does not warn about overwriting existing test files or clobbering user data. In a shared or reused workspace, predictable fixed-path writes can destroy prior artifacts, corrupt test suites, or replace trusted files with generated content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples encourage SSH command execution and local shell execution, including embedded credentials and arbitrary command handling, without prominent warnings about security and system impact. In this skill's context, the generated tests are built from command files, so unsafe examples normalize executing untrusted or destructive commands on hosts or test devices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal