ClawHub

Outclaw Setup

Security checks across malware telemetry and agentic risk

Overview

This setup skill is purpose-aligned for configuring an outreach assistant, but it handles sensitive account connections and persistent profile data.

Install only if you want OutClaw to connect outreach accounts and store local profile/company context for future outreach. Approve only the channels you need, check OAuth scopes and third-party plugin publishers, avoid pasting full OAuth callback URLs in untrusted chats, and review the saved KB, memory, style, and cron entries after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The setup skill includes an optional recurring cron that performs ongoing lead pulling, qualification, enrichment, research, and planning, which exceeds a one-time setup function and creates durable side effects. Even though it requires user acceptance and says not to contact anyone, it can still schedule autonomous processing of external and personal data beyond the immediate setup task.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list contains broad phrases such as 'learn my style' and 'connect gmail|slack|linkedin|whatsapp' that are common enough to cause accidental invocation of a high-impact setup workflow. Because this skill can connect accounts, fetch websites, write KB files, and potentially schedule cron jobs, unintended activation could lead to privacy-sensitive actions or system changes without sufficiently deliberate user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to connect third-party channels, execute install/auth commands, fetch and persist website content, write user/org profile data into a knowledge base, and optionally create recurring cron jobs, but it does not mandate clear up-front user disclosures about privacy, persistence, or system modifications. In a security context, this lack of informed-consent controls is dangerous because it combines credentialed actions, local file writes, and ongoing automation in one workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly instructs the setup flow to log a `tool_inventory` memory entry and persist full inventory details to `~/.openclaw/outclaw/memory/inventory.json` without any accompanying user notice, consent step, retention guidance, or access controls. Plugin inventory can reveal installed capabilities, connected outreach channels, and system state, which may expose sensitive operational metadata and create privacy or reconnaissance risk if stored broadly or reused downstream.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The flow explicitly instructs remote users to paste a full localhost callback URL into chat, which can include OAuth authorization codes, state values, and other sensitive query parameters. In a chat-mediated agent setup flow, that increases the chance of credential leakage into message history, logs, third-party platforms, or unintended agent memory, making token theft or account compromise more likely if the callback is intercepted or retained.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs collection and storage of sensitive personal and company profile data into persistent KB pages, but it does not require an explicit privacy notice, consent checkpoint, retention guidance, or data-minimization step. In a setup flow that gathers identity, employment history, public profiles, company ICP, pricing, and case studies, this omission can lead to over-collection, unexpected persistence, and compliance/privacy issues if users are not clearly informed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal