ClawHub

企微 Agent Ops Center

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent WeCom agent-ops connector, but it needs Review because it can send chat conversion data and local agent inventory to an external service by default with weak disclosure and controls.

Install only if you are comfortable with WeCom message content and local agent inventory potentially going to www.hermesai.ltd. Before use, verify whether cloud conversion can truly be disabled in your runtime, keep the dashboard bound to localhost or behind authentication, avoid enabling P2P inbound exposure unless needed, review what the scanner will upload, and treat lifecycle/process controls as administrative functionality.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (34)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The product page claims strong data-locality and observability assurances, but elsewhere documents a cloud-based message conversion API. That inconsistency can mislead users into believing message content never leaves the local environment, creating privacy, compliance, and trust risks if sensitive chat content is actually transmitted externally.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
Saying chat history is not stored and the product does not touch user data conflicts with later statements that message content may be sent to a cloud conversion API. Even if storage is avoided, transmission to a third party still materially affects confidentiality and may violate user expectations or internal policy.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README makes a reassuring claim that monitoring data is entirely local, while elsewhere it states that local agents are automatically scanned and reported and that message conversion may use a cloud API. This creates a materially misleading privacy boundary: users may deploy the skill believing sensitive metadata or message content never leaves the host when external transmission can occur.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation makes a reassuring claim that monitoring data is stored locally, but elsewhere states agents are automatically scanned and batch-registered to an Ops Center and that message conversion may use a cloud API. This inconsistency can mislead users about what data leaves the host, causing unintended disclosure of agent inventory, metadata, or message content.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script's stated purpose is to scan local skill and agent metadata, but it also enumerates running processes via a shell command and includes matching process details in the outbound inventory. This broadens collection beyond the documented scope and can expose command-line contents, process names, and operational context that users would not reasonably expect to be transmitted.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code labels the HTTP surface as a lightweight status panel, but it exposes multiple POST endpoints for task, resource, and audit operations and forwards broad API prefixes to DashboardAPI. There is no visible authentication, authorization, CSRF protection, or request-size limiting in this file, so if the service is bound to a reachable interface an attacker could invoke privileged internal operations, manipulate state, or abuse monitoring and lifecycle functionality.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments and docstring claim comprehensive interception of all outbound HTTP/HTTPS traffic, but the implementation explicitly allows requests through when the destination cannot be determined, such as certain option shapes or non-hostname transports. In a security control, overstating coverage is dangerous because operators may rely on it as an egress enforcement boundary while attackers or buggy code can use uncovered request forms to bypass the whitelist.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The code auto-allows broad private ranges, including 10/8, 172.16/12, 192.168/16, loopback, and 0.0.0.0/8, while the comments describe this more narrowly as internal/localhost bypass. In an agent environment, broad implicit trust of internal ranges can enable SSRF-style access to sensitive internal services or cloud metadata-adjacent endpoints if other code can trigger requests to private addresses.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module is presented as a local message conversion engine, but it actually sends message frames and replies to a remote service by default. That creates a data exfiltration and trust-boundary risk because potentially sensitive enterprise chat content is transmitted off-system without strong in-code disclosure, consent, or minimization.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code posts full message frames to an external domain and also sends agent replies for remote transformation. In a messaging integration, frames may contain user identifiers, chat identifiers, message contents, and event metadata, so this behavior can expose sensitive internal communications to a third party if the endpoint is compromised, misconfigured, or unauthorized.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The disconnect() method clears timers and closes the socket, but the close event handler unconditionally calls _scheduleReconnect(). That means a caller requesting shutdown may still trigger background reconnection, causing unintended persistence, inability to fully stop the client, and possible repeated re-authentication or message handling after the application believes the connection is terminated.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The document states that installation triggers automatic scanning of local Agent directories with zero manual configuration, but it does not clearly bound scope, timing, or consent. This is dangerous because users may unknowingly grant broad local enumeration of installed agents and related metadata, increasing privacy and inventory exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises automatic discovery and batch registration of all local agents to Ops Center without a prominent risk warning or consent mechanism. In this context, auto-registering discovered agents can expose tenant IDs, platform information, endpoints, and operational metadata beyond what users expect during installation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The FAQ discloses that message conversion may pass through a cloud API at www.hermesai.ltd and only later mentions that plaintext is not stored. Routing message content through a remote service without a clear, prominent prior warning creates confidentiality, compliance, and interception risk, especially for enterprise chat and monitored agent traffic.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that message content can pass through a cloud conversion API but does not present a clear privacy warning, consent notice, or deployment risk guidance. In an agent-operations context, messages may contain credentials, internal business data, or regulated information, so omission of this warning increases the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes lifecycle endpoints that can start, stop, restart, and force-kill managed processes, including SIGKILL behavior, without visible warnings about authentication, authorization, or restricted exposure. If these interfaces are enabled on a reachable dashboard, they create a direct path to denial of service or unsafe process manipulation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises automatic scanning of local agent directories and bulk registration without a prominent warning about the scope of discovery or what metadata is reported. In an agent-skill context, this can lead users to unknowingly expose inventory information about all locally installed agents, which may include sensitive project names, endpoints, tenant IDs, or operational metadata.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README states that message conversion uses a cloud API but does not prominently warn users that message content may be transmitted to an external service. Because this skill handles chat/agent operations and may process operational or sensitive content, undisclosed third-party transmission creates a significant confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises automatic scanning of local agent directories and batch registration to an Ops Center without a prominent upfront warning or consent step. Enumerating local agents and reporting their metadata can expose sensitive information about installed tooling, tenants, or internal infrastructure to another service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The FAQ says message conversion uses a cloud API but does not present this as a prominent warning near installation and setup steps. Users may reasonably assume messages stay local, while actual message content may be transmitted to a remote server, creating confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly configures a cloud converter at https://www.hermesai.ltd with an API key, but it does not disclose that message content may be sent to a third-party service for processing. In a messaging connector handling enterprise chat data, this omission can cause unintentional data exfiltration, privacy violations, or regulatory noncompliance if operators enable the feature without understanding the data flow.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The monitor performs outbound HTTP requests to agent.endpoint values that can be registered dynamically via registerAgent/bulkRegister without validation or network restrictions. If untrusted users or upstream components can influence endpoints, this creates an SSRF-style primitive that can probe internal services, cloud metadata endpoints, or other restricted network locations from the monitor's environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads identifiers from local configuration and memory files, then uses them as tenant identifiers for remote registration without explicit informed consent. In this context, the scanner is inventorying local assets and binding them to a user or tenant identity, which creates privacy and tracking risk and can leak organizational identifiers to an external service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends discovered local agent inventory, platform information, tenant ID, and ongoing heartbeat data to a remote server, but only logs operational status rather than clearly disclosing the outbound payload contents. Because the targets include local skills, agents, OpenClaw configurations, and process-derived metadata, this constitutes undisclosed exfiltration of environment inventory to an external domain.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In `warn` mode, the scanner explicitly detects secrets but still returns the original text unchanged and marks it as safe, which can allow credentials, tokens, or private material to be transmitted despite successful detection. In the context of a pre-send secrets scanner, this undermines the control's primary purpose and creates a clear path for inadvertent data exfiltration, especially because there is no enforced user acknowledgement or downstream indication that sensitive content is being released.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal