Tophant Clawvault Openclaw Alerts

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ClawVault alerting helper that reads local dashboard data, stores local alert state, and sends redacted notifications through OpenClaw.

Install only if you use ClawVault and trust the configured OpenClaw delivery route. Before enabling `--deliver` or background monitoring, send a test message and confirm it goes only to intended channels; avoid enabling input previews or file paths unless the destination is trusted.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises meaningful capabilities—file reads/writes under the user's home directory, network access to a dashboard API, and shelling out to `openclaw agent`—but does not declare any permissions in the manifest. That mismatch weakens reviewability and consent because users and policy engines cannot accurately assess what the skill can do before invocation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal