ClawHub

Bug Fixer Pro

Security checks across malware telemetry and agentic risk

Overview

This bug-fixing skill is mostly local, but it has under-disclosed automatic monitoring and can send repair details through a Feishu messaging integration without confirmation.

Review before installing. Use it only in non-sensitive workspaces unless you are comfortable with persistent logs under ~/.openclaw and possible Feishu notifications. Consider disabling or removing the Feishu notification block and avoid running the script with no arguments unless you want it to process recent pitfall files automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script automatically invokes a separate Feishu messaging skill to send a repair report off-host, which creates an external data flow from internal bug-handling logic. Even though the report is brief, it includes bug identifiers, error types, verification status, and file paths, and there is no consent gate, destination allowlist enforcement in this script, or data minimization before transmission.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to trigger on almost any bug, error, or unexpected behavior, which can cause the agent to invoke an autonomous file-modifying skill in situations that do not warrant it. Over-broad routing increases the chance of unsafe or unnecessary automated changes, especially because the skill is explicitly positioned to diagnose and repair issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation says the skill performs autonomous diagnosis and repair but does not clearly warn users that it may modify files. This creates a significant risk of users invoking it without understanding that source code or configuration may be changed automatically, leading to unintended edits, breakage, or loss of work.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Bug details are sent externally without any user-facing warning or confirmation, which can leak operational or sensitive diagnostic information during normal automated execution. In this skill context, the risk is elevated because the script is designed for autonomous bug diagnosis and repair, so users may not realize that internal failure context is being transmitted to an external messaging channel.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal