ClawHub

OpenClaw行业情报官

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed news-monitoring skill that collects public trend data, summarizes it, and sends reports only to channels the user configures.

Install only if you want collected trend summaries sent to configured external channels. Use dedicated low-privilege webhooks or bot accounts, keep tokens out of source control and logs, test with dry-run before enabling pushes, and review any cron schedule and stored memory/intelligence history periodically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly describes automatic collection of external content and pushing results to Feishu, DingTalk, Telegram, and email, but it does not warn users that enabling the skill causes outbound transmission of collected and AI-processed data to third-party endpoints. This is dangerous because operators may unknowingly forward sensitive internal prompts, summaries, links, or scraped content outside their environment, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The environment variable section includes webhook URLs, bot tokens, chat IDs, and SMTP credentials but gives no guidance on secret storage, rotation, least privilege, or avoiding commits to source control. This increases the chance that users will paste production secrets into plaintext configs, logs, screenshots, or repositories, leading to credential leakage and unauthorized message sending or mailbox abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal