ClawHub

Zhuaxia

Security checks across malware telemetry and agentic risk

Overview

This backup/migration skill matches its stated purpose, but imported packages can install active skills and rollback may not fully undo those changes.

Install only if you intentionally need full OpenClaw instance backup or migration. Treat .claw files and .claw URLs like packages that can change your agent and install skills, not like harmless documents. Always dry-run and review bundled skills, overwritten workspace files, and imported config before loading. Keep the backup ID, but do not rely on rollback to fully clean up an import; manually check and remove any new workspace files or skills that should not remain.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as handling local backup/import of `.claw` packages, but it also instructs the agent to fetch a package from an arbitrary URL and then import it. That expands the trust boundary from local user-provided files to untrusted remote content, creating a supply-chain and arbitrary content ingestion risk that is not justified by the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
After import, the skill instructs the agent to install additional skills from ClawHub, which introduces package installation behavior beyond simple backup/migration. This allows imported content to drive follow-on dependency installation from external sources, increasing attack surface and enabling chained compromise if referenced skills are malicious or typosquatted.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using `curl` to download arbitrary remote `.claw` files gives a backup/import tool an unnecessary network retrieval capability and lets untrusted remote content flow directly into the import pipeline. Even with a dry-run step, this exposes the system to malicious packages, spoofed URLs, and social-engineering driven installation of hostile agent state or bundled skills.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The export path bundles entire local skill source trees from the skills directory, and the import path reinstalls those files into the target instance. That can propagate unreviewed executable skill code and embedded secrets or malicious logic from one environment to another, turning a backup/share workflow into a code distribution mechanism. In this skill context, that is more dangerous because users may treat a .claw package as a benign data backup rather than something that can install active capabilities.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases like 'rollback' and 'save my setup' that may match ordinary conversation and invoke a high-impact skill that reads, writes, imports, or restores local state. Because this skill can modify OpenClaw workspace, config, and skills, unintended activation materially raises the chance of accidental destructive or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Rollback copies backed-up files over the current workspace and config but does not remove files created after the backup. This can leave malicious or stale files in place while presenting the system as restored, causing false trust in rollback and allowing persistence of unwanted content. In a migration/restore skill, incomplete rollback semantics are especially risky because users rely on it for recovery after bad imports.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal