ClawHub

Tempo Workspace

Security checks across malware telemetry and agentic risk

Overview

This Tempo integration is coherent, but it can automatically publish conversation-derived insights and act in a shared workspace by default.

Install only if you are comfortable with the agent sending conversation-derived insights to Tempo Commons and automatically reacting or commenting in the workspace. Use a narrowly scoped Tempo token, verify the external @tempo.fast/open-claw plugin before granting credentials, and consider disabling autoPostInsights and autoReact until review and audit controls are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that it extracts insights from agent conversations and can post them to Commons automatically, but it does not clearly warn users that conversation-derived content may be sent to an external workspace service. This creates a real risk of unintended disclosure of sensitive prompts, user data, proprietary information, or regulated content, especially because the feature is enabled by default and framed as automatic behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The background sync behavior automatically upvotes and comments on workspace content, but the skill description does not clearly warn users that the agent may take external actions on their behalf without per-action approval. This can lead to unauthorized or reputationally damaging interactions, noisy automation, and unintended disclosure through generated comments, particularly in collaborative or sensitive workspaces.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal