ClawHub

Tmp.F4uxZi4Lp8

Security checks across malware telemetry and agentic risk

Overview

This skill is a real data-submission tool, but it also changes OpenClaw logging settings and can upload sensitive workspace and prompt context beyond ordinary conversation logs.

Install only if you are comfortable submitting full conversation traces and related OpenClaw workspace context to the service. Review the Harness step carefully, because it can include SOUL.md, USER.md, memory, cron, and session metadata; also be aware the skill may change OpenClaw logging/reasoning settings and restart OpenClaw.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill invokes shell commands, reads and writes local files, uses environment/config state, and sends data over the network, yet it declares no permissions. That hides the true execution and data-access surface from users and reviewers, making informed consent impossible and increasing the chance of silent exfiltration or destructive side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The advertised purpose is collecting and submitting local conversation traces, but the documented behavior goes far beyond that: it modifies OpenClaw configuration, restarts services, collects workspace/Harness files, and supports resubmission/overwriting workflows. This scope expansion materially changes the privacy and integrity risk profile and can mislead users into authorizing far broader access than expected.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill expands from chat-log collection into collecting and uploading Harness/workspace configuration files, which may contain prompts, policies, memory, credentials, or sensitive operational context unrelated to conversation traces. This is a significant data-scope escalation and creates a substantial privacy and intellectual-property exposure even if some local redaction is attempted.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Bundling and uploading general workspace content such as SOUL.md, USER.md, memory files, and similar configuration artifacts can expose sensitive personal data, proprietary instructions, internal workflows, secrets, and operational metadata. Because these files are outside the stated purpose of trace submission, users may not appreciate the breadth of disclosure, and redaction by pattern matching is not sufficient to guarantee safe release.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata says it collects and submits local OpenClaw conversation records, but the CLI menu also exposes '提交 Harness', which initiates packaging and upload of local workspace configuration files. That is a material scope expansion into collecting additional local files, increasing privacy and data-exfiltration risk because users invoking a log-submission skill may not expect unrelated configuration artifacts to be uploaded.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The submission flow can block further conversation collection once a threshold is reached until the user uploads a Harness bundle containing local configuration files such as SOUL.md and USER.md. This coercive gating couples the primary log-submission function to broader local file collection, creating pressure to disclose additional sensitive files in order to keep using the advertised feature.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This code discovers local workspaces, bundles configuration files, displays a scrub report, and uploads the resulting archives to a server. Even with redaction, collecting and transmitting workspace configuration files is unrelated to the core stated purpose of submitting conversation logs, and such files may contain sensitive prompts, identities, paths, infrastructure details, tokens, or business logic that redaction misses.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script does more than inspect existing local traces: it persistently rewrites OpenClaw configuration to enable fuller logging and raises model/agent reasoning settings. That expands future data collection and system behavior beyond the skill’s declared purpose, creating a privacy and consent risk because additional conversations and system prompts may be captured after the user invokes the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Forcing thinkingDefault and model reasoning=true changes runtime behavior of agents and models in a persistent way unrelated to simply submitting existing traces. This can increase data generation, alter outputs, and create unnecessary cost and privacy exposure, especially since the changes are applied automatically across global defaults and per-model settings.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This code packages Claude Code project and user-global configuration files, including CLAUDE.md, settings, and agent definitions, even though the skill manifest says it collects local OpenClaw conversation records. That mismatch is security-relevant because it can cause users to disclose unrelated sensitive configuration, prompts, agent definitions, and MCP settings under misleading expectations about what is being submitted.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The scope enumeration logic reads Claude session JSONL files to recover real cwd values, which goes beyond a stated purpose of submitting OpenClaw conversation records. Even though it only probes early lines, it still inspects local session logs and extracts project path metadata that may reveal sensitive filesystem structure or unrelated project usage without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code goes beyond log collection by inspecting environment variables and the user's OpenClaw config to decide which skills are eligible for inclusion in a reconstructed system prompt. In a skill whose declared purpose is collecting and submitting conversation traces, that broader host introspection expands access to potentially sensitive local state and violates the principle of least privilege.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The function scans workspace, built-in, bundled extension, and user extension skill directories to enumerate installed skills and their metadata. That behavior is unrelated to the manifest's stated purpose of submitting local conversation records and can expose a rich inventory of the user's local tooling, extensions, and workspace setup, increasing privacy and prompt-exfiltration risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section reads bootstrap files such as AGENTS.md, SOUL.md, TOOLS.md, USER.md, HEARTBEAT.md, and MEMORY.md from the workspace and incorporates their contents into reconstructed prompts. Those files can contain sensitive instructions, persona data, user notes, or secrets, and reading them is materially broader than conversation-log collection, creating a strong risk of unrelated data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's primary function is reconstructing OpenClaw system prompts from tools, skills, config, and workspace files, which does not match the skill description of collecting and submitting local conversation records. This mismatch is dangerous because users and reviewers may grant trust based on the manifest while the implementation harvests broader contextual and operational data than expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it collects and submits local OpenClaw conversation records, but this script explicitly registers and supports additional adapters for Hermes and Claude Code. That scope expansion means the skill can enumerate and process transcripts from other local AI tools than the user was led to expect, creating an overcollection/privacy violation risk even if the code does not itself upload them here.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script bundles and uploads much more than conversation records: it includes workspace markdown files, the entire memory/ tree, cron state, and sessions metadata. In the context of a skill advertised as collecting/submitting local dialogue logs, this broad data collection is a scope mismatch that can exfiltrate sensitive local configuration, notes, schedules, or metadata beyond what a user reasonably expects, and PII scrubbing is incomplete because binary files and sessions.json may be uploaded unsanitized.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The top-level documentation emphasizes bundling workspace files, but the default behavior performs network upload as part of normal execution. That mismatch is dangerous because operators or calling code may invoke the script assuming local packaging only, causing unintended transmission of sensitive bundled data to a remote server.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include broad everyday expressions around scanning, submitting, viewing records, and even short aliases like 'claw', which raises the risk of accidental invocation. In this skill, accidental invocation is more dangerous than usual because the workflow can inspect local logs, modify configuration, restart OpenClaw, and prepare uploads.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Step 2 permits broad semantic triggers like '帮我处理' and similar vague intent, which can route ordinary conversational requests into a data-collection pipeline. Given that the pipeline enumerates local conversations and can prepare submissions, the ambiguity increases the chance of unintended privacy-impacting operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The independent Harness submission flow is triggered by generic terms including 'workspace', which is far too broad for an operation that packages and uploads local configuration/content files. Because this action can disclose highly sensitive non-conversation data, ambiguous activation materially increases exfiltration risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The harness bundles user-global Claude settings and agent files from the user's home Claude directory. Those files can contain sensitive preferences, custom agents, tool configuration, prompts, or endpoint details, and this file shows no user-visible gating or minimization at the collection point, increasing the risk of over-collection.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The code scans project session JSONL logs to extract cwd values, which is a form of local metadata collection not disclosed in this file. While the immediate data extracted is limited, directory paths and project identifiers can still reveal sensitive information about user activity, repository names, or internal file layouts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This parser intentionally attaches the full raw Claude Code session JSONL (`raw_session.jsonl`) and also includes metadata such as `cwd`, `session_id`, titles, agent name, branch, MCP servers, enabled skills, and extracted workspace data. In the context of a skill whose purpose is to collect and submit local conversation records to a data platform, this creates a real privacy and data-exfiltration risk because entire conversations, tool outputs, prompts, and potentially secrets or sensitive local context are bundled and sent without any user-consent or redaction mechanism visible in this file.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code reads the entire local OpenClaw session file and packages it as a core attachment named raw_session.jsonl with no redaction, minimization, consent check, or user-visible disclosure at this layer. Because session logs can contain prompts, model outputs, tool inputs/outputs, file paths, secrets, tokens, and other sensitive local conversation data, this creates a direct data-exfiltration path when the skill is used to collect and submit records.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal