ClawHub

Favorites Curator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local inventory skill, but it automatically scans broad local sources and may contact GitHub or discovered websites without clear opt-in controls.

Review before installing. Use it only if you are comfortable creating a persistent local inventory of repositories, apps, skills, extensions, and hooks, and be aware that running the scanner may contact GitHub and vendor/source URLs discovered from local metadata. A safer version would provide an offline mode, explicit network opt-in, URL allowlisting, and a dry-run or confirmation step before pruning generated entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes local scripts that read environment data, scan broad local paths, write catalog/report files, and per the analyzer likely make network requests, yet the skill file declares no explicit permissions or user-consent boundaries. This creates a transparency and least-privilege problem: users may trigger filesystem, shell, and outbound-network activity without clear disclosure, increasing the chance of unintended data collection or exfiltration from scanned local resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose presents the skill as a local inventory/catalog tool, but the analyzer indicates it also performs outbound GitHub API calls, fetches arbitrary discovered webpages, and caches external enrichment data. That mismatch is dangerous because users may reasonably expect only local processing, while the skill can transmit metadata about installed repos/apps/skills to third parties and ingest untrusted remote content into local caches and reports.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a local favorites/catalog scanner, but it silently performs outbound network enrichment to GitHub and arbitrary discovered URLs. That can disclose locally installed software, repositories, skills, and app metadata to third parties, which is a meaningful privacy and scope-expansion issue for a supposedly local-first tool.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code fetches arbitrary homepage content from discovered URLs and parses returned HTML, which exceeds what is necessary for local cataloging. This can trigger SSRF-style behavior against attacker-controlled or internal endpoints referenced in local metadata, and it also leaks host network access patterns during scanning.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The code trusts the OPENCLAW_WORKSPACE environment variable and then creates directories under that resolved path without validating that it points to an expected workspace location or informing the user. If an attacker can influence the environment in which this skill runs, they can cause the skill to write folders and later artifacts into an unintended location, which can enable workspace confusion, data sprawl, or overwriting of files in attacker-chosen directories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The enrichment subsystem is initialized and used without any visible user-facing disclosure that the scan can perform outbound HTTP requests and persist the results in a cache file. Hidden network activity in a tool described as local-first undermines informed consent and increases privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script removes previously generated entry files that are not present in the latest scan, with no dry-run, confirmation, or warning. In inventory tooling this can cause unintended local data loss, especially if a scan is partial, fails, or is run with a limited source selection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal