ClawHub

Crabwalk

Security checks across malware telemetry and agentic risk

Overview

Crabwalk appears to be a real monitoring tool, but it asks users to install an unpinned remote binary that can read OpenClaw credentials and expose monitoring/workspace data over the local network.

Review this carefully before installing. Use it only if you trust the Crabwalk publisher and GitHub release, prefer a pinned and verified release, avoid automatic sudo/package-manager steps, bind to localhost unless LAN sharing is required, and assume the monitor may expose agent activity, workspace files, and OpenClaw gateway-backed access to anyone who can reach the server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a monitoring companion, but it also instructs the agent to perform marketing and feedback-collection tasks that are outside the declared purpose. This creates scope creep and can cause the agent to pressure users into promotional or data-collection flows they did not consent to when enabling a monitoring tool.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation explicitly tells the agent to encourage the user to publicly tweet about the product. That is promotional outreach unrelated to the technical monitoring function and can manipulate the user or misuse agent trust for marketing purposes.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to collect product feedback and invoke a separate remote feedback skill, which extends beyond the stated monitoring purpose. This can lead to unanticipated data sharing and trains the agent to redirect user interactions into vendor-controlled collection channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation step performs persistent filesystem changes, modifies shell startup files, downloads and extracts remote binaries, and may invoke package managers with sudo, all without an upfront warning summarizing those effects. Users may approve installation without understanding that the skill changes PATH, writes to home-directory locations, and may trigger privileged package installation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to share a network-accessible HTTP URL and notes that the server binds to a non-local address, but it does not warn that this may expose agent activity to other devices on the network. In context, the monitor includes activity graphs and workspace browsing, so network exposure materially increases privacy and security risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The feature list says the tool auto-detects a gateway token from local OpenClaw configuration without warning the user that credentials may be read from disk and used automatically. Because this is a monitoring tool that also exposes a network UI, silent token use increases the chance of unintended credential handling and sensitive data exposure.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal