ClawHub

Agent Creator

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent OpenClaw agent identity bundle, but it changes future agent behavior in ways that can automatically read, write, and delete workspace memory/context files without clear user control.

Install only after reviewing AGENTS.md and SOUL.md. Back up the target workspace first, confirm you are comfortable overwriting identity/behavior files, and edit the memory rules if you do not want the agent to automatically read USER.md, MEMORY.md, memory/*, write long-term notes, or delete BOOTSTRAP.md. Restart the gateway only when you are ready for the new behavior to take effect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill's stated purpose is creating and packaging an agent identity, yet it also instructs restarting the gateway/system service. Service restarts can disrupt availability, affect unrelated workloads, and turn a content-packaging skill into one that changes runtime system state without strong justification.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and conversational, increasing the chance that this skill is invoked in situations where the user did not intend packaging, file generation, shell use, or publication actions. Because the skill can lead to filesystem writes and command execution, accidental invocation materially raises risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation workflow includes unzipping an archive, copying files into a target workspace with overwrite semantics, and restarting a service, but provides no safety checks or warning about destructive effects. This can overwrite existing identity/configuration files, deploy unreviewed content into a live agent, and cause service interruption or misconfiguration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly instructs the agent to create, edit, and update persistent memory files and to write down information without any explicit user-facing warning or consent boundary for modifying workspace memory. In an agent-creation skill, these instructions become baked into future agent behavior, which can lead to silent persistence of sensitive user data, unintended retention, or modification of long-term context files without the user's awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to follow BOOTSTRAP.md and then delete it tells the agent to remove a file automatically on first run, without requiring user confirmation or even notifying the user. Even if BOOTSTRAP.md is intended as a temporary setup artifact, undisclosed deletion is dangerous because it destroys potentially useful provenance, auditability, or recovery information and normalizes autonomous file removal in a template skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to read and update persistent memory files and to write down significant information or anything the user says to remember, but it does not require explicit user consent, visibility, or confirmation before modifying user data. In an agent-creation skill, this can normalize silent persistence of sensitive information and lead to retention of private data the user did not expect to be stored.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal