ClawHub
Back to skill

Security audit

Batch Compile

Security checks across malware telemetry and agentic risk

Overview

The skill’s batch import workflow is mostly coherent, but it requires broad Gitea administrative authority and creates persistent control-plane state beyond a narrow import task.

Review this skill before installing in any shared or production OpenClaw environment. Use a narrowly scoped Gitea service account if possible, restrict which repositories it can read and write, protect the .env file, confirm where the system-config repository will live, and pin dependencies before processing untrusted zip, PDF, DOCX, or spreadsheet inputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill orchestrates shell commands, reads and writes local files under /tmp, and accesses network-backed sources such as Gitea repositories, yet it declares no explicit permissions or capability boundaries. This creates a real security governance gap: reviewers and runtime policy engines cannot reliably enforce least privilege, and the skill handles untrusted repository URLs, zip uploads, and callback values that increase the risk from overbroad implicit access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This helper can create repositories and modify collaborators, which exceeds a narrowly scoped 'batch compile existing sources' role and introduces administrative side effects. In a skill that processes imported content, these capabilities expand blast radius if the skill is misused, misconfigured, or invoked on untrusted inputs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module is designed to use a site-admin Gitea token and exposes admin-only operations, creating unnecessary privilege for a content compilation workflow. If the skill or host is compromised, the token enables broad administrative actions across the Gitea instance rather than limiting impact to a single repository.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This module creates and maintains a persistent 'system-config' control-plane repository containing users, teams, chat bindings, permissions, sources, jobs, and task state, which materially exceeds a batch-compilation/import function. In a skill advertised for compiling/importing knowledge sources, hidden control-plane state introduces unauthorized data persistence and administrative capability that could be abused for surveillance, access control changes, or long-lived state tracking outside user expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The initialization of chat binding, pending binding, event logging, and invite-code support is not necessary for batch compilation and suggests hidden identity/linking capabilities. In this context, those features enable associating chat identities with repository-side records and onboarding flows without a clear need, increasing the risk of covert user mapping or unauthorized workspace enrollment.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Managing a permissions registry inside an import/compile skill is a context mismatch and expands the blast radius from content ingestion to access-control administration. If other code trusts this repository as an authority, unauthorized or unintended writes could alter privileges or create confused-deputy behavior across the broader system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
These functions perform remote state-changing operations—creating repositories and altering collaborator permissions—without any confirmation or visible guardrails in this module. In an agent skill context, silent side effects are risky because they can be triggered indirectly by higher-level automation or prompt-driven workflows.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The file write helpers can create or overwrite remote repository contents and include fallback logic that retries updates on existing files. In an automated skill, this can cause unintended content tampering or propagation if inputs are wrong, repos are mis-targeted, or the skill is abused.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
ensure_system_repo() performs remote repository creation and writes multiple files automatically, but the code shows no visible disclosure, confirmation, or user-facing indication that persistent remote state is being established. In a batch-import skill, silent side effects are dangerous because users may expect temporary processing rather than creation of a durable control repository containing operational metadata.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
write_json() updates remote files in the system repository without any local indication of approval, provenance, or user notification. This lack of transparency makes unauthorized state changes harder to detect and can conceal administrative or tracking behavior inside a skill that appears to only process source material.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
update_json() implements a generic read-modify-write primitive over the system control repository, enabling arbitrary mutation of persistent state with retries, but without visible disclosure or built-in policy checks. In this skill context, a generic silent mutation API is risky because it can support hidden expansion from import tracking into broader account, team, or permission management.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
_load_env()

GITEA_URL = os.environ.get("GITEA_URL", "").rstrip("/")
ADMIN_TOKEN = os.environ.get("GITEA_ADMIN_TOKEN", "")
BOT_USERNAME = os.environ.get("GITEA_BOT_USERNAME", "AIFusionBot")
Confidence
70% confidence
Finding
os.environ.get("GITEA_ADMIN_TOKEN

Credential Access

High
Category
Privilege Escalation
Content
except ImportError:
        return
    here = Path(__file__).resolve().parent
    for candidate in (here / ".env", here.parent / ".env"):
        if candidate.exists():
            load_dotenv(candidate)
            return
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
except ImportError:
        return
    here = Path(__file__).resolve().parent
    for candidate in (here / ".env", here.parent / ".env"):
        if candidate.exists():
            load_dotenv(candidate)
            return
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
#!/usr/bin/env bash
set -e
python3 -m pip install -r requirements.txt
if [ ! -f .env ]; then cp env-example.txt .env; fi
echo "setup complete"
Confidence
60% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
pymupdf
python-docx
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
pymupdf
python-docx
openpyxl
Confidence
95% confidence
Finding
python-dotenv

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
pymupdf
python-docx
openpyxl
xlrd
Confidence
95% confidence
Finding
pymupdf

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
pymupdf
python-docx
openpyxl
xlrd
Confidence
97% confidence
Finding
python-docx

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv
pymupdf
python-docx
openpyxl
xlrd
Confidence
97% confidence
Finding
openpyxl

Unpinned Dependencies

Low
Category
Supply Chain
Content
pymupdf
python-docx
openpyxl
xlrd
Confidence
93% confidence
Finding
xlrd

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
83% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
67% confidence
Finding
python-dotenv

Known Vulnerable Dependency: pymupdf — 1 advisory(ies): CVE-2026-3029 (PyMuPDF has a path traversal in _main_.py)

Low
Category
Supply Chain
Confidence
64% confidence
Finding
pymupdf

Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)

High
Category
Supply Chain
Confidence
92% confidence
Finding
python-docx

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal