ClawHub

One Person Company OS

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local workspace generator; its file-writing and script-wrapper behavior fits that purpose, but users should choose the workspace path deliberately.

Install only if you want a local business-workspace generator. Use a dedicated approved directory, review generated business/legal/pricing/customer-facing material before acting on it, do not provide unrelated credentials, and ensure any MCP, Dify, or API host asks before invoking write operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_script_with_runtime(runtime_path: str, script_path: str, script_args: list[str]) -> int:
    completed = subprocess.run([runtime_path, script_path, *script_args])
    return completed.returncode
Confidence
92% confidence
Finding
completed = subprocess.run([runtime_path, script_path, *script_args])

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The adapter exposes a local code-execution capability by dispatching into repository scripts, which is more powerful than the manifest suggests and can perform arbitrary workspace operations through those scripts. In an agent/plugin setting, this mismatch is dangerous because users may grant trust for a dashboard-like skill without realizing it can initialize projects, modify files, or run release validation locally.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The manifest frames this as a visual operating cockpit, but the exported functions perform command-style initialization and update actions against local directories. This creates a trust-boundary problem: an agent or user could invoke side-effecting operations under a misleading description, increasing the chance of unintended file creation or project manipulation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script's stated purpose is Python runtime inspection/recovery, but it can run an arbitrary target script passed on the command line. In a marketplace skill for a visual business cockpit, that broader capability is out of scope and increases attack surface because the helper can be repurposed as a generic execution primitive.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module documentation says it only inspects or switches runtimes, but the --apply and --run-script combination actually executes another script. This mismatch can mislead reviewers and users about the tool's true authority, causing unsafe deployment or approval of code with more powerful behavior than advertised.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The guide states the repository '优先服务 OpenClaw' and later says the agent system should default to the user's language, with Chinese as the default for Chinese users. Hard-coding a preferred organization/platform context without explicit user opt-in can bias agent behavior, shape outputs toward a specific ecosystem, and override user expectations in multi-tenant or neutral environments. In a skill that defines agent runtime behavior, this is more significant because these instructions can systematically influence every session.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill hard-codes output language based on an inferred user type ('Chinese user' vs 'English user') instead of explicitly asking for or honoring a user-stated preference. This can cause incorrect language selection, degrade usability, and create consent/accessibility issues, especially for multilingual users or users whose preferred interface language should not be inferred.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template instructs the agent to create a standardized workspace and generate a final DOCX file directly, but it does not require explicit user consent, disclose persistence, or clarify where artifacts will be stored. In an agent setting, silent file creation and state persistence can lead to unexpected data retention, accidental disclosure of sensitive business information, and actions that exceed user expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`init_business` forwards user-controlled paths and content into a subprocess that likely initializes a workspace and changes the filesystem, yet this file provides no user-facing warning or consent gate. In agent environments, silent side effects are risky because a model could trigger project creation or overwrite-like behavior in an unintended location.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal