ClawHub

Ai Trends Reporter

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward AI-news and ClawHub skill recommendation reporter, with expected use of API credentials and a local installed-skills list but no evidence of hidden or destructive behavior.

Before installing, be comfortable with the skill using a Brave Search API key, optionally using a ClawHub token, and reading the names of installed OpenClaw skills to personalize recommendations. The provided artifacts do not show hidden exfiltration, automatic installation, or destructive behavior.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

The skill may use external service credentials and, if a ClawHub token is provided, account-linked ClawHub access.

Why it was flagged

The skill declares a required Brave Search API key and an optional ClawHub token for its news search and skill-ranking features.

Skill content
requires":{"env":["BRAVE_API_KEY"]},"optional":{"env":["CLAWHUB_TOKEN"]}
Recommendation

Provide only the credentials needed for the report, prefer least-privilege or revocable tokens where available, and avoid sharing generated reports that expose account-specific details.

#ASI02: Tool Misuse and Exploitation
Low
What this means

Installed skill names may appear in the agent context or report, which could reveal information about the user's tooling setup.

Why it was flagged

The helper script enumerates locally installed OpenClaw skills so the report can recommend uninstalled skills.

Skill content
SKILLS_DIR="$HOME/.openclaw/workspace/skills/skills"
INSTALLED_SKILLS=$(ls -1 "$SKILLS_DIR" 2>/dev/null | tr '\n' ',')
Recommendation

Review the report before sharing it externally, and run it only in the intended OpenClaw workspace.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less source context for verifying the publisher or update history, although the included code is visible and simple.

Why it was flagged

The package metadata points to generic GitHub URLs rather than a specific repository, which provides limited provenance information.

Skill content
"homepage": "https://github.com",
  "repository": "https://github.com"
Recommendation

Install from a trusted publisher and inspect future updates, especially if later versions add install steps or network-handling code.