ClawHub

OpenClaw Codebase Intelligence

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local codebase indexing tool, but it merits Review because its cache and optional parser-loading behavior can execute local code and it persists code previews in the analyzed project.

Review before installing, especially if you analyze untrusted repositories. Do not run it in a repo that already contains a .codebase-intelligence/codebase_index.pkl file unless you trust that file, because Python pickle loading can execute code. Add the cache directory to .gitignore, inspect or delete cached indexes when handling sensitive code, and treat the LLM wording/flag as inaccurate in this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file advertises LLM/OpenClaw-backed answering, but all logic is purely local heuristic/index-based processing. This is a security-relevant integrity issue because users and downstream automation may make trust decisions based on claimed model-backed analysis or assume external review/filtering occurred when it did not.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The API and CLI expose `use_llm` / `--no-llm`, but the parameter is ignored, so users cannot actually control processing mode. In a security-analysis skill, this can mislead operators into believing a safer or more capable path was selected, creating silent failure of security expectations and potentially incorrect audit or triage results.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The indexer prepends a sibling directory to sys.path and imports c_parser from there, which executes attacker-controlled Python code if that path or module is replaced. In a code-analysis skill, dynamically trusting local code outside the package boundary materially expands the attack surface because indexing a repository can now trigger arbitrary code execution during startup.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The quick start says the tool will automatically create a .codebase-intelligence directory in the target project, but this side effect is not clearly warned about before execution. Unexpected writes into a codebase can pollute repositories, interfere with tooling, or cause sensitive environments to be modified without informed consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cache writer stores a pickle and a JSON file containing indexed metadata and content previews from repository files onto disk without any explicit consent or warning. In a codebase-analysis context, repositories may contain secrets or proprietary code, so silent persistence increases the chance of unintended local disclosure and long-lived sensitive data exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The ask command invokes LLM-backed question answering by default, which can transmit codebase content or derived context to an external model without an explicit warning or consent checkpoint. In a codebase-intelligence skill, users may ask questions about proprietary source, secrets, or internal architecture, making silent exfiltration of sensitive data a realistic confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal