ClawHub

EvidenceOps - Forensic Evidence Management

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real evidence-management skill, but it needs review because some strong security and chain-of-custody guarantees are not fully enforced in the implementation.

Install only in a controlled evidence-handling environment. Configure a strict channel allowlist, require operator approval before ingestion/export, restrict OpenClaw's readable filesystem scope to a dedicated staging directory, and verify S3 Object Lock, cache behavior, and export integrity before relying on this for formal chain-of-custody work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The S3 driver initializes and relies on a local FilesystemDriver cache, then uses that cache as a fallback store when S3 reads fail. In an evidence-handling context, silently degrading from object-locked remote storage to mutable local storage undermines integrity guarantees, chain-of-custody expectations, and can cause users to rely on evidence that no longer has the same tamper-resistance or central audit properties.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Exporting entirely from the mutable local cache means exported evidence may differ from the authoritative S3 object, especially if the cache is stale, altered, or incomplete. For a forensic evidence vault, this directly weakens evidentiary reliability and can break chain-of-custody because the export path bypasses the supposed source of record.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The ingest tool accepts an arbitrary local file path and immediately performs fs.stat on it before passing that path to the storage driver. In an agent/tooling context, this creates a capability to access local filesystem content selected by tool callers without any built-in restriction, consent prompt, or path allowlist, which can expose sensitive host files if misused or prompt-injected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool packages the file path, metadata, and source context and forwards them to the configured backend driver, which may be S3 or another external storage target. In a forensic-evidence context this transfer is expected, but without explicit disclosure, destination controls, or egress policy checks, sensitive evidence and associated metadata could be silently sent off-host or to an unintended backend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs collection of sender identifiers, source channel, and message IDs for evidence intake, but it does not clearly warn operators that this metadata may constitute personal data and will be retained in the vault and manifest. In a forensic workflow this creates privacy and compliance risk because users may ingest regulated personal data without informed handling, minimization, or redaction expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The derivative-generation section allows creation of thumbnails, transcripts, previews, and OCR outputs from sensitive evidence, but does not clearly warn that these derived artifacts are additional stored copies that may expand exposure of confidential or personal content. In an evidence-handling context, derivatives can materially increase disclosure risk because extracted text and previews are easier to search, copy, and exfiltrate than the original binary media.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal