ClawHub

CatchClaw

Security checks across malware telemetry and agentic risk

Overview

CatchClaw mostly matches its marketplace-management purpose, but it has review-worthy local workspace overwrite and external OpenClaw subprocess behavior that is not fully scoped in the user-facing instructions.

Review carefully before installing. Prefer new named agent installs over overwrite, use rollback only when you intentionally want to replace the main OpenClaw workspace from a backup, avoid --latest unless you are sure which backup will be used, and treat export as capable of running local OpenClaw enrichment unless you use --skip-enrich.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The CLI exposes rollback/restore functionality that can recursively replace the main OpenClaw workspace, which exceeds the declared marketplace/search/install/export scope. In a skill expected to manage marketplace packages, adding destructive local restore behavior expands the attack surface and can unexpectedly modify or erase a user's active workspace.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code dynamically resolves and executes the external openclaw CLI for agent registration, listing, and enrichment, which goes beyond simple marketplace search/install/export behavior. Even with shell:false, invoking another CLI inherits that tool's capabilities and trust boundary, so this skill can trigger additional local actions not disclosed by its stated purpose.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The top-level security note asserts that all network behavior is read-only GET traffic and implies no broader side effects, but later code launches openclaw subprocesses that may perform additional actions outside those guarantees. Misleading safety claims are dangerous because users and reviewers may rely on them and underestimate the real capabilities of the tool.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The rollback command can delete and replace the main workspace after only selecting a backup, with no explicit destructive-action confirmation before rmrf(MAIN_WORKSPACE) and restore. This creates a real risk of accidental data loss or malicious social engineering through convincing a user to run rollback.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal