ClawHub

Outclaw

Security checks across malware telemetry and agentic risk

Overview

Outclaw has a coherent outreach purpose, but it asks agents to run unreviewed local scripts, store full lead data, and change OpenClaw configuration automatically.

Review before installing. Only use this if you trust the Outclaw/Leadbay publisher and can inspect the full installed pack, especially the shared scripts and sibling skills. Confirm OAuth scopes, paid contact-purchase behavior, where lead data is stored, and how memory/KB logs can be deleted. Avoid using it in shared machines or shared chat surfaces unless you are comfortable with prospect data being written to /tmp and displayed in chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger scope is extremely broad and makes this skill the entry point for nearly any outreach-related phrasing. Over-broad activation increases the chance that sensitive or high-impact requests are captured and acted on by the wrong skill path, especially in an autonomous system that performs file writes, routing, and operational checks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Several trigger phrases are common in ordinary business conversation and lack strict contextual constraints. That raises the risk of accidental invocation, causing unintended processing of personal data, campaign actions, or opt-out workflows when the user may have meant something else.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates writing the full lead payload, including up to 50 lead objects and metadata, to /tmp without any minimization, access controls, or user notice. Temporary directories are often shared, inspectable by local processes, and prone to residual retention, so this creates a concrete risk of exposing sensitive prospect and business data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill performs in-place configuration repair and workspace modification without explicit user consent at the moment of change. Silent mutation of agent configuration and workspace files can alter trust boundaries, enable tools unexpectedly, or create hard-to-audit state changes that persist beyond the current task.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The uninstall flow includes recursive deletion of multiple directories via rm -rf with no confirmation or safety checks. Even though paths are partially constrained, destructive file operations are high risk in agentic contexts because path mistakes, environment drift, or reuse of the snippet could lead to irreversible loss.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instructions require persisting the full raw lead payload and then emitting generated plan content verbatim in chat. That combination materially increases the chance of disclosing personal contact details, lead metadata, internal scoring, or other sensitive business information to the wrong surface or with insufficient redaction.

Ssd 3

Medium
Confidence
93% confidence
Finding
Broad instructions to log everything to memory, KB, and external systems create unnecessary retention of potentially sensitive user inputs, outreach content, and response data. Excessive retention increases the blast radius of compromise and may conflict with least-privilege, privacy, and deletion expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal