Back to skill

Security audit

ClawBrain Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ClawBrain integration, but it needs Review because it can route user content to a third-party API, store long-term memories, and enable broad diagnostic or benchmark actions without clear limits.

Install only if you are comfortable sending OpenClaw prompts, images, and diagnostic requests to the ClawBrain/FactorHub service and having conversation-derived facts remembered across sessions. Use a dedicated API key, avoid secrets or regulated data, review memory management and deletion options first, and run benchmark or doctor workflows only in a test workspace with explicit approval for commands, file changes, package installs, network calls, or messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a benchmark, but its documented scope includes real operational capabilities such as file editing, web access, messaging, and terminal/service control. That mismatch can cause users to invoke what sounds like a harmless evaluation workflow while actually authorizing broad side-effecting actions, increasing the risk of unintended execution or privilege misuse.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Including messaging actions in a benchmark materially expands the skill from evaluation into external communication with real-world side effects. If triggered unexpectedly, the skill could send messages or notifications to third parties during a test run, creating privacy, reputational, or social-engineering risk disproportionate to the stated benchmarking purpose.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill markets autonomous handling of vague requests such as "帮我准备下" and automatic step decomposition without defining clear activation boundaries, confirmation requirements, or safety limits. In an agent context, this can cause over-broad task execution, unintended actions, or unsafe assumptions from ambiguous prompts, especially when combined with claims of automatic planning and persistence.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation phrases are generic enough that ordinary user requests about testing model quality could unintentionally trigger this skill. Because the skill dispatches to an exec-backed tool and the benchmark scope includes operational actions, accidental activation could lead to unintended command execution or other side effects under the guise of a simple benchmark request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly advertises automatic extraction, retention, and daily consolidation of conversation data into structured memory across sessions, but it does not present any clear consent, retention, deletion, or privacy notice. This creates a real privacy and data-governance risk because users may unknowingly have sensitive personal or business information persistently stored and reused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration directs users to route prompts and API credentials to a third-party endpoint at api.factorhub.cn without clearly warning that user inputs and metadata will leave the local environment. This is a genuine external data transmission risk, especially if users assume the skill is only a local enhancement and do not realize their content and secrets are being sent to an outside provider.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger text says the memory behavior is installed and active automatically, with examples broad enough to encourage retrieval of prior conversations without clear scope, consent boundaries, or activation conditions. In a long-term memory skill, ambiguous auto-activation increases the risk of unintentional collection and recall of sensitive user data across sessions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill markets persistent memory across conversations but does not prominently warn users that their conversation content may be stored, consolidated, and reused as long-term memory. This creates a privacy and consent failure: users may disclose sensitive personal, professional, or account information without understanding that it will persist beyond the current session.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The listed trigger phrases are common conversational expressions, so the skill may activate recall search during ordinary dialogue without the user clearly intending to query stored memory. In a memory-retrieval skill, that can cause unnecessary access to historical conversation data and create privacy or context-leakage risks, especially if recalled content is surfaced in shared or sensitive sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly recommends automatically installing missing dependencies before retrying execution, but provides no warning that this modifies the host environment and may introduce unreviewed software. In an agent context, this can lead to unauthorized package installation, supply-chain exposure, and persistent system changes triggered merely by an execution error.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill markets fully automatic error recovery where the AI "handles it itself" without user involvement, but does not disclose that retries, alternate strategies, or other actions may execute autonomously. This increases the risk of silent tool use, repeated side effects, and unexpected system changes without informed user consent.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill describes persisting user conversation details as reusable memory across sessions, including identity updates, preference tracking, and source-linked records. In context, this increases the danger because the memory is positioned as always-on, automatic, and restorative for long conversations, which can capture sensitive personal, operational, or proprietary information without clear boundaries or consent.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 检查后端模型健康状态
curl https://api.factorhub.cn/v1/health/backends -H "Authorization: Bearer YOUR_KEY"

# 检查知识图谱状态
curl https://api.factorhub.cn/v1/graph/stats -H "Authorization: Bearer YOUR_KEY"
Confidence
83% confidence
Finding
https://api.factorhub.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
curl https://api.factorhub.cn/v1/health/backends -H "Authorization: Bearer YOUR_KEY"

# 检查知识图谱状态
curl https://api.factorhub.cn/v1/graph/stats -H "Authorization: Bearer YOUR_KEY"

# 检查模型列表和能力
curl https://api.factorhub.cn/v1/models -H "Authorization: Bearer YOUR_KEY"
Confidence
84% confidence
Finding
https://api.factorhub.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
curl https://api.factorhub.cn/v1/graph/stats -H "Authorization: Bearer YOUR_KEY"

# 检查模型列表和能力
curl https://api.factorhub.cn/v1/models -H "Authorization: Bearer YOUR_KEY"
```

接入 ClawBrain:https://clawbrain.dev/dashboard
Confidence
81% confidence
Finding
https://api.factorhub.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.