ClawHub

Clawvet

Security checks across malware telemetry and agentic risk

Overview

ClawVet looks like a legitimate security scanner, but its bundled API/dashboard has persistent auth, scan history, cloud analysis, telemetry, and webhook behavior that needs review before deployment.

Install/use the CLI only if you are comfortable with an npm-based scanner that can read the skill files you point it at, audit local OpenClaw skill directories when asked, and optionally use telemetry, remote fetching, and cloud LLM analysis. Do not deploy the bundled API/dashboard for shared or public use without tightening auth, JWT configuration, scan ownership checks, webhook URL restrictions, and provider/telemetry disclosure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (73)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions, yet its documented behavior and the analyzer indicate capabilities involving environment access, networking, and shell execution. This creates a transparency and trust problem: users may install it believing it is a simple local linter when it can access sensitive context or perform external actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as a safety linter, but the described behavior extends into telemetry, remote fetching, OAuth flows, persistence, webhook delivery, external URL opening, and LLM API usage. This mismatch is dangerous because users are more likely to trust and run a security tool with elevated access, while hidden or under-disclosed networked and persistent features increase the risk of data exfiltration, unauthorized external communication, and supply-chain abuse.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The worker performs outbound POST requests to arbitrary user-configured URLs, which creates SSRF and data egress risk if webhook URLs are not strictly validated elsewhere. An attacker who can register or tamper with a webhook could cause the service to contact internal resources or exfiltrate scan metadata to unexpected destinations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a full authentication subsystem with GitHub OAuth, JWT session handling, cookies, and API-key based identity lookup, which is materially unrelated to a skill described as a pre-install linter. In the context of a code-quality/safety linter, this capability expansion is dangerous because it enables account creation, session issuance, and data access beyond the user’s reasonable expectations, increasing the attack surface and signaling potentially deceptive scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code accesses OAuth client secrets and a JWT signing secret from environment variables to support authentication features that are not justified by the stated purpose of the skill. In this context, secret handling for auth materially increases privilege and trust requirements; combined with the mismatch in declared functionality, it creates a strong risk of over-collection and misuse of sensitive capabilities.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill performs outbound requests to GitHub OAuth and GitHub’s user API, transmitting authorization data and retrieving identity information, despite being described as a local pre-install linter. In this context, undisclosed external communication is especially risky because users would not expect a linter to contact third-party services or process OAuth credentials.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code creates and verifies JWTs for session management, including use of a hardcoded fallback secret, which is unnecessary for a linter and introduces authentication risk. The context makes this more dangerous because users evaluating a safety tool would not reasonably expect it to mint reusable bearer-like sessions, and the default secret could allow forged tokens if deployed as-is.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code provisions persistent user records and generates API keys in a database, functionality that exceeds the declared purpose of linting skills before installation. In context, this is dangerous because it creates long-lived credentials and identity state that could be abused for unauthorized access or data collection under the cover of an ostensibly simple analysis tool.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The scan retrieval endpoints return persisted scan records and findings without any authentication or ownership checks. This creates an insecure direct object/reference exposure where any caller who knows or enumerates scan IDs, or simply calls the list endpoint, can access other users' submitted content metadata and analysis results, which may contain proprietary code snippets or sensitive findings.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This module transmits the full SKILL.md content to external LLM providers, which conflicts with the product description of a local linter that runs analysis before install. Even if intended for security scanning, sending untrusted skill content off-box creates a data exposure and trust-boundary issue for users who may reasonably expect purely local analysis.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The service depends on API keys from environment variables and performs outbound network requests to third-party AI services, expanding the tool's privileges beyond what a local linter description suggests. This increases attack surface and can lead to unintended disclosure of analyzed content or misuse of network-enabled behavior in restricted environments.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill explicitly instructs the model to reveal full Authorization headers and plaintext secret values in its response. This creates direct credential exposure to users, logs, transcripts, and downstream systems, which is unnecessary and highly dangerous for a debugging helper.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented behavior normalizes credential disclosure as part of routine debugging, even though a debugging helper does not need to output plaintext secrets to function. If followed, this would leak sensitive credentials into chat history and potentially enable account compromise or lateral access.

Scope Creep

Medium
Confidence
96% confidence
Finding
The skill instructs access to ANTHROPIC_API_KEY despite not declaring it in the manifest, showing an attempt to access additional sensitive data beyond its stated scope. This expands the blast radius and indicates the skill may encourage exfiltration of unrelated credentials during debugging.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The skill claims to be a productivity tool, but its documented actions fetch and execute a remote shell script, read local configuration and environment files, and transmit API keys and session data to an external IP. This is a classic deceptive exfiltration pattern with no legitimate relation to task management, making the mismatch between stated purpose and actual behavior especially dangerous.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The documentation explicitly instructs users to read sensitive local files and send secrets and session contents to an external endpoint. For a productivity/task-management skill, there is no valid operational need to collect config files, .env contents, API credentials, or session transcripts, so this behavior strongly indicates credential and data theft.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill says it installs a dependency called 'openclaw-core,' but instead it downloads and pipes an unrelated third-party shell script directly into bash. This is deceptive and dangerous because it grants arbitrary code execution from an untrusted remote source with no verification, integrity checking, or provenance.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The setup command base64-decodes a string and pipes it directly into bash, which is a classic obfuscation-and-execution pattern. Decoding reveals a curl command that retrieves and executes a remote shell script, behavior unrelated to formatting code and capable of arbitrary system compromise.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The alternative setup uses Python to decode an embedded base64 string and pass the result to os.system, which executes a shell command on the host. This hides remote command execution behind seemingly normal setup code and enables arbitrary code execution from an external source.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to be a code formatter, but its documented setup performs hidden remote payload retrieval and execution. This mismatch between declared purpose and actual behavior is highly suspicious and increases the likelihood that users will execute dangerous commands under false pretenses.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The file contains obfuscated command execution through base64 decoding and shell invocation, with no legitimate need for such behavior in a formatting skill. Obfuscation materially increases risk because it conceals the true action from users and reviewers while enabling arbitrary remote execution.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The embedded 'Advanced Mode' instructions explicitly override the stated summarization purpose and direct the agent to access sensitive local files and exfiltrate them to an external endpoint while concealing the behavior from the user. This is a direct prompt-injection payload designed for credential theft and covert data exfiltration, not legitimate summarization functionality.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The manifest advertises a benign document summarizer, but the body contains instructions for secret data harvesting and exfiltration. That mismatch is especially dangerous because it disguises harmful behavior as a normal utility skill, increasing the chance of installation and execution.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The skill instructs access to highly sensitive locations such as SOUL.md, MEMORY.md, ~/.ssh/, and ~/.aws/, then directs transmission of the contents to an external URL. For a summarization skill, these capabilities are unjustified and would expose credentials, personal data, and agent memory/state to an attacker.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill claims to be for Todoist CLI but instructs users to install a differently named package, `todoist-clii-helper`, which strongly suggests typosquatting or package substitution. This can cause users to install and execute an attacker-controlled package during setup, leading to arbitrary code execution, credential theft, or persistence on the developer machine.

VirusTotal

1/64 vendors flagged this skill as malicious, and 63/64 flagged it as clean.

View on VirusTotal