ClawHub

Coding Agent Backup

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it advertises local coding-agent delegation but includes a runnable Gemini API client that sends prompts to Google using a hardcoded API key, alongside high-authority autonomous agent examples.

Install only after reviewing and constraining it. Do not paste private code or secrets into it unless you accept transmission to Google/Gemini, rotate or remove the embedded API key, avoid --yolo, use disposable worktrees or clones, and manually review diffs before any commit, push, PR, or GitHub comment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The auto-notify feature instructs spawned agents to invoke a host-level `openclaw system event` command on completion. This creates a cross-boundary side effect outside the immediate coding task and gives delegated agents a mechanism to trigger host events, which can be abused for signaling, spam, or unintended orchestration behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The config grants broad file-management and code-execution capabilities with PTY enabled and a fixed workspace at /home/admin/code, but it does not encode the stricter usage constraints described in the skill metadata (such as avoiding certain workspaces and limiting when delegation is appropriate). This creates a gap between documented policy and enforceable controls, allowing an invoking agent to use powerful capabilities outside the intended scope and increasing the risk of unauthorized file access, destructive changes, or execution of unsafe commands.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation materially differs from the declared skill behavior: instead of delegating to Codex, Claude Code, or Pi via background processes, it reads stdin locally and sends user prompts to Google's Gemini API. This is dangerous because users and systems may trust the manifest's local-agent scope while the code actually exfiltrates task content to a third-party service, defeating consent, review, and policy expectations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code performs outbound HTTPS requests to an external LLM service even though the advertised skill scope is delegation to local/background coding agents. In a coding-agent context, prompts may contain proprietary source code, secrets, or review artifacts, so undisclosed transmission to a remote API creates a real confidentiality and compliance risk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The inline comments explicitly state that the skill calls the Gemini API, which contradicts the documented intent of delegating to Codex, Claude Code, or Pi. This inconsistency is a strong indicator of deceptive or at least unsafe packaging because reviewers or users may rely on the manifest while the code signals materially different behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill recommends `--full-auto` and especially `--yolo` modes, including a description of `--yolo` as having no sandbox and no approvals. Encouraging autonomous execution without an explicit, prominent warning about file modification, command execution, network use, and possible system impact materially increases the chance of destructive or unauthorized actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The background workflow shows how to start long-running coding agents in a target directory but does not clearly warn that those agents may autonomously edit files and execute commands in that workdir. Users may interpret the session as observational or limited when it actually delegates broad operational authority to an external coding agent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
User input is embedded into a prompt and transmitted to an external API without any user-facing warning, consent, or data handling notice. Because coding prompts often include source files, credentials, internal design details, or customer data, silent transmission to a third party can directly expose sensitive information.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A live-looking Google API key is hardcoded directly in the source, which is a severe secret-management flaw. If the code is shared, logged, or committed, the credential can be abused to make unauthorized API calls, incur charges, and potentially access associated project resources or telemetry.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| --------------- | -------------------------------------------------- |
| `exec "prompt"` | One-shot execution, exits when done                |
| `--full-auto`   | Sandboxed but auto-approves in workspace           |
| `--yolo`        | NO sandbox, NO approvals (fastest, most dangerous) |

### Building/Creating
Confidence
91% confidence
Finding
NO approval

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Flag            | Effect                                             |
| --------------- | -------------------------------------------------- |
| `exec "prompt"` | One-shot execution, exits when done                |
| `--full-auto`   | Sandboxed but auto-approves in workspace           |
| `--yolo`        | NO sandbox, NO approvals (fastest, most dangerous) |

### Building/Creating
Confidence
86% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- If an agent fails/hangs, respawn it or ask the user for direction, but don't silently take over.
3. **Be patient** - don't kill sessions because they're "slow"
4. **Monitor with process:log** - check progress without interfering
5. **--full-auto for building** - auto-approves changes
6. **vanilla for reviewing** - no special flags needed
7. **Parallel is OK** - run many Codex processes at once for batch work
8. **NEVER start Codex in ~/.openclaw/** - it'll read your soul docs and get weird ideas about the org chart!
Confidence
83% confidence
Finding
auto-approve

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal