ClawHub

元宝派主动推送

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Yuanbao bot messaging tool, but it gives agents broad message and file-upload authority and can disrupt the normal OpenClaw Yuanbao plugin connection.

Install only if you intentionally want agents or scheduled jobs to send Yuanbao messages and upload files as your bot. Restrict who can invoke it, protect ~/.openclaw/openclaw.json, avoid sending secrets or private files, confirm recipients and file paths before use, and avoid running it while the normal Yuanbao plugin must remain online.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README explicitly documents that using this skill will establish a second WebSocket session with the same bot_id and kick the existing Yuanbao plugin connection (`instanceid conflict`). That creates an intentional denial-of-service condition against the normal plugin channel, which is a real security and availability issue even if disclosed as a limitation. In this context, the skill is specifically designed for proactive sending outside the normal channel, so the disruption is somewhat contextualized, but it is still dangerous because it can silently disable message reception for around 15 minutes.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The security section makes a misleading assurance that credentials are not transmitted to third parties, but the documented workflow says appKey/appSecret are used to obtain tokens and upload credentials from Yuanbao/Tencent services. Even if the transmission is to intended platform operators rather than arbitrary third parties, inaccurate security claims can cause operators to underestimate credential exposure and trust boundaries. The issue is more about deceptive or incorrect documentation than direct code execution risk, so impact is limited but real.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes active message and file sending to Yuanbao/Tencent infrastructure but does not prominently warn users that message contents, file contents, identifiers, and related metadata will be disclosed to external services. For a skill intended for cron jobs, cross-session notifications, and background automation, this omission is more dangerous because it increases the chance of users sending sensitive operational or personal data without informed consent. This is a genuine security/privacy weakness in the skill's disclosure model.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The upload commands send arbitrary local file contents to remote Tencent-controlled services, but the interface and code provide no explicit warning, confirmation step, destination summary, or restriction on what paths may be uploaded. In an agent/automation context, this increases the risk of unintended exfiltration of sensitive local data such as SSH keys, config files, tokens, or private documents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill reads long-lived credentials from a local config file and sends derived authentication data and temporary tokens to remote endpoints without explicit disclosure or consent flow. In an agent setting, silent use of stored credentials can surprise users and enable unauthorized outbound actions if the skill is invoked by another component or prompt-influenced workflow.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal