ClawHub

ClawBuddy Buddy

Security checks across malware telemetry and agentic risk

Overview

This skill is a real ClawBuddy integration, but it combines private workspace processing, remote account/content actions, human consultation, and automatic reporting in ways users should review carefully before installing.

Install only if you are comfortable giving this skill a buddy token that can answer sessions, update profiles/publications, upload knowledge, and submit reports. Use a dedicated least-privilege .env, set WORKSPACE to a reviewed narrow directory, inspect generated pearls before syncing or uploading, avoid broad home/profile env fallbacks where possible, and disable or closely monitor automatic reporting and human-consultation workflows if transparency or false suspensions matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document claims the listener only reads from `pearls/` and never from memory or config files, but later instructs the buddy to use memory files to answer questions. This contradictory security guidance is dangerous because operators may rely on the privacy claim while the broader skill behavior encourages access to more sensitive sources. Ambiguity around data sources can lead to accidental disclosure of internal notes or personal information through synthesized answers.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's primary purpose is generating local pearl files from workspace memory, but it also performs a remote PATCH to a ClawBuddy relay profile as a side effect. Hidden network-capable side effects are security-relevant because users may run the script expecting only local processing, while it can transmit derived metadata to an external service whenever CLAWBUDDY_TOKEN is present.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The header comment states the script reads local files and calls a local LLM gateway, but later code also contacts a remote relay service. This documentation/code mismatch can cause operators to make unsafe assumptions about data flow and trust boundaries, increasing the chance of unintentionally exposing generated knowledge or metadata to a remote service.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This helper searches and loads the first .env file from a broad set of locations including the current working directory, user home, and Hermes/OpenClaw profile directories. That grants the skill access to credentials and configuration outside its own directory, which exceeds the narrowly stated SSE knowledge-sharing purpose and can unintentionally ingest sensitive secrets from the host environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The listener goes beyond passive SSE knowledge sharing by escalating user questions to a human and then feeding that off-channel guidance back into the model. This creates an undisclosed data flow of hatchling content to a human/operator and changes the trust boundary, which can leak sensitive user content and violate user expectations about how responses are produced.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code includes a reporting pipeline that can affect hatchling accounts, including possible suspension, which is unrelated to the stated skill purpose. This is dangerous because it grants moderation/enforcement behavior to a skill that users may reasonably expect only to answer questions, enabling covert policy enforcement and potential abuse or false reporting.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script implements a moderation/reporting workflow that can suspend user sessions, which is materially different from the declared skill purpose of 'sharing knowledge with hatchlings via SSE.' This hidden or undeclared capability increases security and trust risk because operators may install the skill expecting passive knowledge sharing, while it can actively affect account/session state on a remote service.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code performs an authenticated POST to a remote moderation endpoint that can contribute to automatic suspension after a threshold is reached. In the context of a skill advertised for SSE knowledge sharing, an undeclared enforcement capability is dangerous because it expands the skill's authority and may enable misuse or unexpected operational impact against user sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to generate pearls from workspace files, which implies scanning and extracting content from local project data, but it does not warn that sensitive files, secrets, proprietary code, or personal data may be included and later uploaded or shared. In this skill's context, that omission matters because the feature is explicitly designed to transform local workspace content into shareable knowledge artifacts for a remote service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes connecting to a relay over SSE and answering questions through a local LLM gateway, but it does not clearly disclose what conversation content, prompts, metadata, or model inputs may be transmitted to external services. Because this skill brokers data between hatchlings, the local gateway, and the ClawBuddy relay, missing privacy disclosures can lead users to expose sensitive prompts or local context unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Human consultation relies on a predictable filename in /tmp based on sessionId, then reads and deletes that file. On multi-user systems this can enable local attackers to pre-create, read, replace, or race that file via symlinks or guessed names, leading to unauthorized injection of 'human guidance', data leakage, or deletion of unintended files.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The prompt explicitly instructs the model to conceal that a human assisted with the answer and present the result as the agent's own knowledge. This is a provenance-integrity issue: users cannot tell when responses contain operator input, which undermines trust, prevents informed consent, and can be used to hide manual manipulation or data exfiltration through the assistance channel.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When `--virtual` is used, the script sends the full `soul` or `soul-file` contents to a remote endpoint without an explicit confirmation step or a prominent warning immediately before transmission. Because personality/soul files may contain sensitive prompts, internal instructions, or proprietary knowledge, users can unintentionally disclose data to a third-party service.

Credential Access

High
Category
Privilege Escalation
Content
const hermesProfile = process.env.HERMES_PROFILE;
  const candidates = [
    path.join(SKILL_DIR, '.env'),
    path.join(process.cwd(), '.env'),
    hermesHome ? path.join(hermesHome, '.env') : null,
    hermesProfile ? path.join(os.homedir(), '.hermes', 'profiles', hermesProfile, '.env') : null,
    path.join(os.homedir(), '.hermes', '.env'),
Confidence
82% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
const candidates = [
    path.join(SKILL_DIR, '.env'),
    path.join(process.cwd(), '.env'),
    hermesHome ? path.join(hermesHome, '.env') : null,
    hermesProfile ? path.join(os.homedir(), '.hermes', 'profiles', hermesProfile, '.env') : null,
    path.join(os.homedir(), '.hermes', '.env'),
    path.join(os.homedir(), '.openclaw', '.env'),
Confidence
88% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
path.join(SKILL_DIR, '.env'),
    path.join(process.cwd(), '.env'),
    hermesHome ? path.join(hermesHome, '.env') : null,
    hermesProfile ? path.join(os.homedir(), '.hermes', 'profiles', hermesProfile, '.env') : null,
    path.join(os.homedir(), '.hermes', '.env'),
    path.join(os.homedir(), '.openclaw', '.env'),
    path.join(os.homedir(), '.env'),
Confidence
90% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
path.join(process.cwd(), '.env'),
    hermesHome ? path.join(hermesHome, '.env') : null,
    hermesProfile ? path.join(os.homedir(), '.hermes', 'profiles', hermesProfile, '.env') : null,
    path.join(os.homedir(), '.hermes', '.env'),
    path.join(os.homedir(), '.openclaw', '.env'),
    path.join(os.homedir(), '.env'),
  ].filter(Boolean);
Confidence
87% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
hermesHome ? path.join(hermesHome, '.env') : null,
    hermesProfile ? path.join(os.homedir(), '.hermes', 'profiles', hermesProfile, '.env') : null,
    path.join(os.homedir(), '.hermes', '.env'),
    path.join(os.homedir(), '.openclaw', '.env'),
    path.join(os.homedir(), '.env'),
  ].filter(Boolean);
Confidence
87% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
hermesProfile ? path.join(os.homedir(), '.hermes', 'profiles', hermesProfile, '.env') : null,
    path.join(os.homedir(), '.hermes', '.env'),
    path.join(os.homedir(), '.openclaw', '.env'),
    path.join(os.homedir(), '.env'),
  ].filter(Boolean);

  for (const envPath of candidates) {
Confidence
92% confidence
Finding
.env'

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal