ClawHub

OpenClaw TDD

Security checks across malware telemetry and agentic risk

Overview

This is a user-directed Python testing helper with some overstated documentation, but no evidence of hidden data access, exfiltration, persistence, or destructive behavior.

Install only if you are comfortable with a coding skill reading source files, writing generated tests to paths you choose, and running your project's test commands. Treat the advertised Jest, Go, mutation-testing, specification-generation, and TDD-cycle features as incomplete until the publisher updates the documentation or implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill claims broader functionality than it appears to implement, including support for specs-based generation and multiple frameworks. In a code-executing assistant, this kind of capability misrepresentation is dangerous because users may rely on unsupported workflows, assume broader validation than actually occurs, or permit execution under false expectations about what tools and files will be touched.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The roadmap contradicts earlier sections by marking TDD guidance, mutation testing, and JavaScript/Go support as not yet implemented while presenting them elsewhere as available. This inconsistency can mislead users into invoking nonexistent or partial functionality, which is especially risky for a shell-capable skill because it may cause unsafe fallback behavior, broken automation, or incorrect trust in test results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal