ClawHub

ClaWiser

Security checks across malware telemetry and agentic risk

Overview

ClaWiser appears to be a real memory and workflow enhancer, but it makes broad persistent changes that can retain conversations, alter future agent behavior, and auto-commit local files.

Install only if you intentionally want a persistent local memory system. Before enabling it, review and approve edits to AGENTS.md, SOUL.md, HEARTBEAT.md, OpenClaw config, cron jobs, and scripts; restrict indexed paths; decide whether real names should be written into memory; and remove or narrow the auto-commit script so it cannot commit unrelated files or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to append self-model and routing content into SOUL.md and AGENTS.md, changing identity, invocation policy, and user-facing behavior beyond simple tool installation. Persistent modification of core behavioral files can create durable prompt injection, broaden future activation, and make later interactions follow the skill author's priorities instead of the user's explicit intent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill installs a recurring cron job that periodically analyzes conversation data, yet this ongoing background automation is not disclosed in the core purpose statement. Hidden persistence materially raises risk because the skill continues operating after installation, repeatedly touching user data without fresh per-run consent.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The instruction to read IDENTITY.md, SOUL.md, and USER.md to infer real names and timezone is not necessary for basic skill installation and expands access to personal/profile data. Even if the data use seems limited, it creates unnecessary collection of potentially sensitive information and normalizes broader profile inspection.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script falls back to `git add -A` and commits all remaining changes across the repository, not just memory-related artifacts. In a periodically triggered 'heartbeat' workflow, this can silently persist unrelated edits, secrets, or other sensitive files without user review, which exceeds the module’s stated purpose and creates integrity and confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file implements automatic source-control persistence over a broad set of repository paths, even though the skill is described as a memory/workflow enhancement module. The context makes this more concerning because the capability is designed to run automatically from HEARTBEAT.md, increasing the chance of unnoticed commits of unrelated or sensitive content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to modify a global timeout setting via `gateway(action=config.patch, path="agents.defaults.timeoutSeconds", ...)`, which changes behavior beyond the scope of noise reduction. Even if intended as an operational convenience, changing global defaults can affect unrelated agents/tasks and persists a broader configuration side effect that may weaken safety or reliability controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs writing persistent state into `AGENTS.md`, effectively altering global agent behavior and future startup context rather than only documenting denoising results locally. This expands the skill's influence across future runs and can create hidden, durable behavior changes unrelated to the immediate task.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README instructs users to run an initialization step that will 'evaluate the environment, install modules, and configure everything' automatically, but it does not explain what files may be modified, what commands may run, what network access is required, or how to review/limit those actions first. For an agent skill, this is risky because users may trigger installation with excessive trust, and the automation could make persistent system changes without informed consent.

Vague Triggers

High
Confidence
93% confidence
Finding
The routing rules use broad, natural-language conditions like vague expressions of uncertainty or need, which can overlap heavily with ordinary conversation. This can cause frequent unintended activation of powerful workflow behaviors, increasing unauthorized file changes, context loading/saving, or other side effects without clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The save-game guidance tells the agent to proactively save state whenever a conversation naturally winds down or the user appears to be leaving, without clear exclusions or consent boundaries. That makes unintended retention of conversation state more likely, especially for sensitive or ephemeral discussions the user did not intend to persist.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The suggested user-education phrases normalize very common everyday language as triggers for workflow modules. Expanding the trigger surface in this way increases accidental activation and makes it difficult for users to predict when the system will perform persistence or planning behaviors.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to copy modules and append content into skill directories, AGENTS.md, and SOUL.md, but does not provide prominent change warnings, previews, or consent checkpoints for these persistent edits. Silent or under-disclosed modification of control/configuration files can surprise users and make rollback difficult.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs creation of a recurring cron job that processes existing conversation data for diagnostics, but does not include an explicit privacy notice, retention explanation, or durable-consent workflow. Combining background execution with historical chat analysis creates a meaningful surveillance and data-processing risk, especially when users may not realize it will continue automatically.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation criteria are very broad and include common troubleshooting phrases like '帮我排查一下', '为什么不 work', and '搞不定', which can cause the skill to trigger in many ordinary conversations. Over-broad auto-activation can hijack agent behavior, forcing a rigid methodology when the user did not explicitly request it and increasing the chance of scope capture across unrelated tasks.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill uses broad activation language such as '不限于特定措辞' and a wide range of example phrasings, which can cause the agent to invoke this skill in loosely related contexts. Because the skill then directs the agent to inspect project memory, handoff files, cron status, and related documents, accidental activation could expose sensitive project state or trigger unnecessary state-altering review/update actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The final block stages all remaining tracked and untracked changes and commits them without any user-facing warning, review step, or confirmation. In an automated agent environment, this can capture accidental edits, credentials, generated artifacts, or unrelated project files, making silent persistence especially dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script aggregates session transcripts, voice messages, identity metadata, usernames, and group names into a consolidated markdown file under the workspace, materially increasing retention and discoverability of sensitive user data. In a memory/agent-enhancement skill, that behavior is expected, but the absence of explicit user notice, consent gating, retention controls, or output hardening makes privacy exposure and accidental over-collection a real security issue rather than a mere usability concern.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger language is explicitly open-ended (e.g., '不限于特定措辞' and broad examples like creating a project, initializing a project, checking structure), which can cause the skill to activate in many loosely related conversations. Over-broad activation increases the chance of unintended workflow execution, context hijacking, or silent modification of project-memory structures when the user did not clearly request this skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction that the agent should 'automatically check project ownership after creating or modifying a Skill' lacks scope boundaries, consent requirements, and limits on what files may be touched. This can lead to unexpected post-action side effects, including unsolicited filesystem changes such as creating project folders or symlinks outside the user's immediate request.

Vague Triggers

High
Confidence
94% confidence
Finding
The frontmatter declares the skill as silently running and agent-invoked without clear, narrow activation boundaries. That creates an overly broad autonomous trigger surface where the agent may modify retrieval configuration or initiate diagnostics unexpectedly, increasing the chance of unauthorized behavior and configuration drift.

Vague Triggers

High
Confidence
95% confidence
Finding
The body repeats that the skill should run silently whenever the agent decides, but does not define scope limits, cooldowns, or approval requirements. In a skill that can patch configuration and route other skills, this ambiguity can lead to unintended autonomous actions and makes abuse or misfires harder to detect.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Diagnose mode is triggered by subjective assessments like 'search quality seems bad' or 'results obviously irrelevant,' which are easy for an agent to over-interpret. Because the follow-on actions include changing configuration, adding paths, and invoking other skills, this vague threshold can cause unnecessary or unsafe autonomous modifications.

Vague Triggers

High
Confidence
94% confidence
Finding
The activation criteria are intentionally broad and explicitly say they are not limited to specific phrasing, including common conversational statements like '今天先到这' and '下次继续'. That creates a real risk of unintended invocation, causing the agent to perform file-writing, project-state persistence, or scheduling actions when the user did not clearly request this skill.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The instruction to use real names from USER.md/IDENTITY.md instead of generic labels can expose personally identifiable information in HANDOFF.md and related project memory. In a persistence-oriented skill, this is more dangerous because the data is explicitly written to durable storage and may later be read, copied, or linked by other agents.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are intentionally broad and include generic conversational phrases such as '先别急着做,想想为什么' and '总觉得哪里不对', which can match many unrelated user requests. In an agent skill system, this increases the chance of unintended activation, causing the skill to steer workflows, create artifacts, or alter reasoning when the user did not explicitly request this methodology.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal