ClawHub

Turnip Prophet

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Animal Crossing turnip predictor with clearly disclosed optional local reminders, but users should review the package install and cron setup before enabling extras.

Use the core predictor if you are comfortable with local turnip data being stored in the skill's memory files. Review any pip, brew, or sudo package-install command before running it. Enable reminders only if you want scheduled messages sent through your existing OpenClaw messaging setup, and verify the channel, target ID, OpenClaw path, and crontab entries before installing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while clearly requiring shell execution for package installation, file access, Python execution, and cron-related setup. This undermines least-privilege review because operators may approve a seemingly harmless predictor without realizing it can execute commands and modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest advertises a turnip-price predictor, but the skill also sets up persistent cron jobs, reads/writes local config, sends automated outbound messages, and logs activity. This mismatch is dangerous because reviewers and users may grant trust based on a narrow stated purpose while hidden operational behavior expands the attack surface substantially.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill introduces automated reminder setup and outbound messaging capabilities that are not reflected in the high-level manifest description. Even if framed as optional, undisclosed side functionality can surprise users and bypass informed consent during installation or review.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Cron-based scheduled messaging creates persistence and recurring outbound actions that exceed the core need of computing turnip predictions. Persistent automation is security-relevant because it survives the immediate interaction and can continue using local credentials and messaging integrations later.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script sends outbound messages through a configured gateway binary, which expands the skill from passive turnip-price prediction into an active notification capability. That creates a real security and governance concern because a misconfigured or attacker-controlled config file could cause unsolicited messaging or abuse of the messaging gateway, and this behavior is not clearly aligned with the stated skill purpose.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
"id": "jq-debian",
              "kind": "shell",
              "label": "Install jq (Debian/Ubuntu)",
              "command": "sudo apt-get update && sudo apt-get install -y jq",
              "when": "debian"
            },
            {
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
"id": "jq-debian",
              "kind": "shell",
              "label": "Install jq (Debian/Ubuntu)",
              "command": "sudo apt-get update && sudo apt-get install -y jq",
              "when": "debian"
            },
            {
Confidence
93% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
**Removing cron entries:**
```bash
# Edit crontab and remove the turnip-prophet lines
crontab -e
```

**Important:** You must explicitly confirm the setup flow before any config is saved. Declining the setup offer means nothing is stored.
Confidence
94% confidence
Finding
crontab -e

Session Persistence

Medium
Category
Rogue Agent
Content
cat /tmp/turnip-cron-$$.txt
   
   # If it looks good, install:
   (crontab -l 2>/dev/null; cat /tmp/turnip-cron-$$.txt) | crontab -
   ```
3. Ask user to run the commands and confirm when done
4. Reply: "✅ Reminders configured. You'll only get pings for missing data. Check `crontab -l` to verify installation. To remove: `rm memory/turnip-config.json` and remove the cron entries."
Confidence
95% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
(crontab -l 2>/dev/null; cat /tmp/turnip-cron-$$.txt) | crontab -
   ```
3. Ask user to run the commands and confirm when done
4. Reply: "✅ Reminders configured. You'll only get pings for missing data. Check `crontab -l` to verify installation. To remove: `rm memory/turnip-config.json` and remove the cron entries."

**On rejection/cancel:**
- Reply: "No problem. No data was stored. You can set this up anytime by asking about turnip prices again."
Confidence
94% confidence
Finding
crontab -l

Chaining Abuse

High
Category
Tool Misuse
Content
"id": "jq-debian",
              "kind": "shell",
              "label": "Install jq (Debian/Ubuntu)",
              "command": "sudo apt-get update && sudo apt-get install -y jq",
              "when": "debian"
            },
            {
Confidence
88% confidence
Finding
&& sudo

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal