ClawHub

Daily Commit Logbook

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it installs persistent automation and includes account-changing MIS submission paths that need careful review before use.

Install only if you want recurring OpenClaw scheduled reporting and are comfortable sending commit-derived summaries to your Telegram chat. Review the generated cron jobs, keep `.env` private and trusted, back up `HEARTBEAT.md`, and do not run MIS submission helpers until you have reviewed the separate `mis-logbook-submit` skill and confirmed the exact text to submit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description emphasizes draft generation and approval workflows, but the documented scripts include direct or semi-direct submission paths (`submit-pending-logbook.sh`, `render-whatsapp-message.sh`) that can perform actions beyond passive content generation. This mismatch is dangerous because users may grant trust expecting a reporting helper while the skill also supports outbound submission and cross-skill invocation, increasing the chance of unintended data transmission or approval bypass in operational use.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script walks local workspace repositories and reads directory entries and README contents to infer repo context, even though its primary function is generating reports from GitHub/GitLab activity. In a skill that may run inside a broader agent workspace, this expands access to unrelated local projects and can unintentionally disclose sensitive repository names, structure, or documentation into generated reports.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script name and comment indicate it should only render a WhatsApp-ready confirmation, but it also performs a live MIS submission by invoking submit-logbook.js. This is a security-relevant hidden side effect because a user or calling agent could trigger a state-changing action when they expect only message generation, violating least surprise and safe automation boundaries.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script dynamically resolves a peer skill directory and then executes its submission logic, enabling cross-skill state-changing behavior beyond a narrow message-rendering role. In an agent environment, this broadens authority and makes it easier to invoke unintended submission capabilities through workspace layout or environment configuration.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented behavior says the script prints a WhatsApp-ready confirmation, but in practice it submits to MIS before printing output. That mismatch is dangerous because operators, wrappers, or autonomous agents may classify it as a harmless rendering utility and execute it in contexts where write actions to external systems are not authorized.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to install recurring cron jobs and notes that setup writes a local `.env` file, but it does not clearly warn that these are persistent system changes that may continue running and handling potentially sensitive repo activity after initial setup. This is risky because users may unknowingly create long-lived automation that sends summaries or stores configuration without understanding retention, scope, or how to remove it.

Credential Access

High
Category
Privilege Escalation
Content
WORKSPACE="$(resolve_workspace "$DAILY_DIR")"
export OPENCLAW_WORKSPACE="$WORKSPACE"

CONFIG_FILE="$DAILY_DIR/.env"
if [ -f "$CONFIG_FILE" ]; then
    set -a
    # shellcheck disable=SC1090
Confidence
94% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal