ClawHub

Erpclaw Publish 4.3.1 20260511 000823

Security checks across malware telemetry and agentic risk

Overview

This is a powerful local ERP skill with many disclosed business features, but it needs Review because module installation and several finance/security-changing paths are broader or less gated than the skill claims.

Install only if you are comfortable giving this skill broad local control over ERP records, payroll/HR data, encrypted credentials, backups, and executable modules. Before production use, require explicit confirmation for onboarding/module installs, review any module source and registry provenance, avoid raw server-path CSV imports, keep demo seeding out of production, and do not rely on RBAC unless every integration passes a verified user identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (41)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
args[i + 1] = action_override
                break

    os.execvp(sys.executable, [sys.executable, script] + args)


def _suggest_module_for_action(action):
Confidence
89% confidence
Finding
os.execvp(sys.executable, [sys.executable, script] + args)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
            lib_path = os.path.expanduser("~/.openclaw/erpclaw/lib")
            env["PYTHONPATH"] = lib_path + os.pathsep + env.get("PYTHONPATH", "")
            result = subprocess.run(
                [sys.executable, init_db_path],
                capture_output=True, text=True, timeout=60,
                env=env,
Confidence
99% confidence
Finding
result = subprocess.run( [sys.executable, init_db_path], capture_output=True, text=True, timeout=60, env=env, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Pull latest
        try:
            result = subprocess.run(
                ["git", "pull", "origin", "main"],
                cwd=install_path, capture_output=True, text=True, timeout=60
            )
Confidence
93% confidence
Finding
result = subprocess.run( ["git", "pull", "origin", "main"], cwd=install_path, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
init_db_path = os.path.join(install_path, "init_db.py")
        if os.path.isfile(init_db_path):
            try:
                subprocess.run(
                    [sys.executable, init_db_path],
                    capture_output=True, text=True, timeout=60
                )
Confidence
99% confidence
Finding
subprocess.run( [sys.executable, init_db_path], capture_output=True, text=True, timeout=60 )

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The UI defines import actions that accept an absolute server-side CSV file path from the user, which exposes host file access semantics through the ERP interface. If the backend honors this path directly, an attacker could attempt to read arbitrary local files, trigger imports from sensitive locations, or abuse path traversal and file-discovery behavior beyond normal business workflows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The supplier import flow similarly takes a raw CSV path, indicating the same dangerous pattern of exposing local host filesystem access through a business UI. In an ERP context with broad administrative usage, this is especially risky because import features are plausible operator workflows and may be granted to privileged users, increasing the chance of sensitive file exposure or backend misuse.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file implements autonomous recurring bill generation and can optionally auto-submit generated purchase invoices, which creates accounting-impacting records without an explicit per-run approval gate in this code path. In an ERP buying skill, this materially increases the blast radius of mistakes, misconfiguration, or misuse because invoices and GL postings can be created in bulk by automation rather than an interactive user review step.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
This buying module can change company-wide controls such as receipt tolerance and three-way match policy, which are governance settings rather than ordinary transaction data. Even though the changes are audited, exposing these controls through a transactional buying skill can let a caller weaken procurement safeguards and invoice validation behavior across the company.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The cross-skill endpoints allow direct creation and reversal of stock ledger entries based only on caller-supplied voucher metadata and JSON payloads, with no visible authorization, allowlist, or ownership checks in this file. In an ERP context, exposing raw inventory-ledger mutation primitives outside the documented surface materially increases the risk of unauthorized stock manipulation, audit-trail abuse, and downstream financial misstatement.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function's docstring says recurring template deletion is a soft delete, but the implementation executes a hard DELETE against the table. This mismatch can cause operators or calling agents to rely on recoverability or audit retention that does not actually exist, leading to irreversible loss of financial scheduling configuration and weakened forensic traceability.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file header and description present this script as an installation checker/onboarding guide, but it also contains a large `seed-demo-data` workflow that performs broad business-data creation and document submission. This capability mismatch increases the chance that users or higher-level agents invoke a high-impact mutating action under the assumption that the tool is read-oriented or low risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The CLI description says the tool is an installation checker/onboarding guide, yet the action router exposes `seed-demo-data`, which creates and submits many ERP records. In agent ecosystems, misleading interface descriptions are dangerous because they can cause unintended invocation of write-heavy actions by users or automation that trust the description.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file declares a safety invariant that the AI must never alter or drop tables owned by other modules, but rollback_migration() drops tables derived from stored DDL without re-validating ownership at execution time. If a migration record is tampered with, incorrectly planned, or applied in a changed environment, rollback can delete arbitrary tables and violate module isolation, causing integrity loss across the ERP database.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module docstring explicitly represents the script as read-only financial reporting, but the file also exposes write operations that insert elimination rules and post GL/elimination entries. This kind of capability mismatch is dangerous because downstream agents, users, or policy engines may trust the file as non-mutating and invoke it in contexts where writes are forbidden, enabling unauthorized accounting changes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The reports skill contains actions such as add-elimination-rule and run-elimination that perform INSERTs into elimination_rule, gl_entry, and elimination_entry, followed by commits. In a skill advertised as reporting-only, these hidden write paths can be abused to alter financial records or consolidation outputs under the guise of generating reports, which materially increases operational and integrity risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A reports-focused module should not contain accounting write capabilities unless they are clearly scoped, separated, and controlled. Embedding consolidation rule creation and posting logic into a reporting entrypoint violates least privilege and broadens the blast radius of any accidental invocation, automation mistake, or agent misuse.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This selling skill implements purchase-side capabilities such as creating purchase invoices, listing intercompany purchase-side documents, canceling mirrored purchase invoices, and creating drop-ship purchase orders. That violates the stated domain boundary and can let a caller with access to the selling skill perform unintended procurement-side mutations, expanding privilege and bypassing expected approval or routing controls.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The onboarding flow orchestrates multiple local scripts and skills automatically, expanding the setup action into a privileged workflow runner. In a skill ecosystem with optional modules and local script discovery, this increases attack surface and can execute additional code paths beyond the user's immediate expectation during a simple onboarding interaction.

Context-Inappropriate Capability

High
Confidence
86% confidence
Finding
This action imports a wrapped master key from a backup and installs it into the machine-wide key store, materially changing the host's cryptographic trust state. If misused or socially engineered, it can overwrite or replace the local keying material and make sensitive encrypted data readable under a new trust context or break access to existing data.

Context-Inappropriate Capability

Medium
Confidence
71% confidence
Finding
The skill can store, migrate, list, and delete arbitrary integration credentials, making this setup script a secrets-management surface. Even though values are encrypted at rest and not fully returned, exposing generic credential handling in a broad admin utility raises the blast radius if the action is invoked by an overprivileged agent or through weak access controls.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module advertises a critical invariant that all writes to `gl_entry` go through the validated insertion path, but `reverse_gl_entries()` performs direct inserts and state changes without reusing the main validation/checksum path. In an ERP/ledger context, bypassing a claimed single controlled write path weakens auditability and can let reversal postings evade controls such as validation consistency and checksum-chain integrity, increasing the risk of malformed or less trustworthy ledger data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real authorization bypass: once RBAC is active, check_permission still returns True when user_id is missing, allowing callers to skip identity propagation and gain access. In an ERP system handling accounting, payroll, HR, and financial operations, treating missing user context as allowed can let unauthenticated or improperly attributed requests perform sensitive actions if any integration forgets to pass user identity.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`reverse_sle_entries()` unconditionally calls `_reverse_fifo_layers()` for any voucher, which sets `remaining_qty = 0` on all FIFO layers sourced from that voucher before determining whether the voucher represented an incoming movement. If a voucher had created FIFO layers and some of those layers remain valid or were partially consumed, cancellation can corrupt layer state and inventory valuation, potentially causing understated stock, failed future issues, or inconsistent audit/GL behavior in a core ERP accounting path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A module manager also contains self-updating foundation reconciliation and rollback logic that rewrites the core skill installation. This materially expands the blast radius: a component meant for optional modules can now mutate foundational code, and the presence of an unsafe bypass flag increases risk if operators invoke it under pressure.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README encourages broad natural-language setup requests like "Set me up" and implies the assistant will create companies, initialize accounting structures, and suggest/install modules from a conversational prompt. In an ERP context, this can trigger material state changes from underspecified user intent, increasing the risk of accidental provisioning, misconfiguration, or unauthorized financial/operational changes if the agent over-interprets vague requests.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal