ClawHub

ToolFlow OpenClaw Operator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent workflow-runner skill, but it needs Review because it can read local files and, when configured, run commands or modify files with limited scoping.

Install only if you want a local workflow runner that can persist workflow outputs and inspect local files. Keep elevated mode and command-based progress updates disabled unless needed, tightly limit allowed commands, dry-run and inspect workflows before submitting them, and do not run workflows from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The plugin exposes `toolflow_submit` as if it merely runs a workflow file, but the workflow can include elevated actions such as `exec_command` and `apply_patch`. This mismatch is security-relevant because users or upstream agents may invoke the tool without understanding that it can trigger shell execution or modify files once elevated mode is enabled and approvals are granted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`runApplyPatch` writes attacker-controlled patch content to a temp file and executes `git apply` against a resolved working directory, which can modify repository files. In this plugin context, the absence of user-facing disclosure in the registered tooling increases the chance that a caller triggers destructive file changes without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
`runExecCommand` executes a subprocess from workflow-controlled payload data after only checking the binary name against an environment-configured allowlist. Even with an allowlist, this exposes shell-adjacent execution capability through the plugin, and the lack of clear disclosure in the user-facing tool definitions makes accidental high-risk invocation more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The progress reporter executes `config.progressUpdates.command` using `spawn(..., { shell: true })`, with the command sourced from environment variables or overrides. This creates a command-injection and arbitrary command execution surface: anyone able to influence TOOLFLOW_PROGRESS_COMMAND or config can run shell commands in the runtime context, even though this feature is framed as mere progress reporting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal