ClawHub

Safe Update/Merge

Security checks across malware telemetry and agentic risk

Overview

The merge tool is mostly disclosed and purpose-aligned, but it also bundles sensitive background-session transcript viewing and messaging plus ambiguous documentation around force-push workflows.

Install only if you control the target OpenClaw fork and are comfortable with a tool that can merge code, build/install dependencies, restart the gateway, send redacted conflicted files to Claude, and force-push after promotion. Before using it, review or remove the background sessions panel if you do not want update-related code to read transcripts or send messages to cron/background sessions, run dry-run first, and treat --promote as the only step that should update the protected branch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The embedded background-sessions panel is unrelated to the advertised merge/update task and introduces access to potentially sensitive conversation transcripts and control of background agents. Bundling this capability into maintenance documentation creates scope creep and can hide surveillance or cross-session interaction features inside a trusted operational tool.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill claims Phase 2 promotion requires user confirmation, but the documented resume flow says it jumps to build, push, and cleanup. This contradiction can cause operators or automation to trigger remote mutation and cleanup without the promised verification step, undermining the primary safety control of the two-phase design.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation inconsistently states both that the user manually decides whether to merge/push and that an automated --promote workflow force-pushes and resets branches. Inconsistent operator guidance around destructive git actions increases the likelihood of accidental misuse and unsafe automation assumptions.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The changelog says successful runs push to the fork and delete the temp branch, which conflicts with the claimed current two-phase, user-confirmed promotion model. Historical or conflicting instructions in a high-impact operational skill can lead users to invoke it under false assumptions about when destructive actions occur.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The --resume flag is described inconsistently: one part says it resumes build/restart on an existing branch, while another says it performs push and cleanup. Ambiguity around a resume action in a tool that can overwrite remote branches is dangerous because it blurs the line between recovery and promotion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal