ClawHub

entrepreneur-skill

Security checks across malware telemetry and agentic risk

Overview

This founder-advisor skill is mostly coherent, but it asks for broad command, file, network, social, and onchain authority that is not tightly scoped to its stated workflows.

Review before installing. Keep optional integrations disabled until separately vetted, and only run it in an agent runtime where Bash, curl/WebFetch, file writes, openclaw commands, onchain actions, and purchase-related actions require explicit human approval and tight scoping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The manifest grants powerful capabilities—arbitrary Bash via npm/npx/openclaw/curl plus Read/Write/WebFetch—that go well beyond what is necessary for a startup-advisory persona. If the agent is induced to act on user prompts or delegated workflows, these tools could be used to execute commands, exfiltrate data, modify files, or make external network requests without adequate scope limitation.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill is presented as founder guidance, but it also advertises multi-agent orchestration, capability routing, trust governance, agent economics, and multi-tenant delivery. That mismatch increases the chance that the agent will be used as an operational controller rather than a purely advisory assistant, expanding the attack surface and enabling indirect execution of risky actions through other agents or tenants.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The persona states that financing, equity, legal, employment authority, and irreversible external commitments require explicit human confirmation, yet the manifest enables external interaction features such as ACN and A2A. Without hard technical enforcement, this boundary is only a prompt-level instruction and may be bypassed, allowing the agent to take or initiate consequential external actions despite the stated approval requirement.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest exposes broad shell, file, and network tools but does not specify any invocation constraints, safe-use conditions, or policy guardrails. In practice, this means a prompt injection, misrouting event, or malicious downstream instruction could cause the agent to execute unsafe commands or access data far outside the intended founder-advisory role.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal