ClawHub
Back to skill

Security audit

Agent Changelog

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its changelog purpose, but it installs persistent automation and can automatically commit, push, or upload broad workspace snapshots, so users should review it before installing.

Install only if you want persistent workspace versioning. Before setup, narrow .agent-changelog.json away from the default whole workspace if needed, audit .gitignore and tracked files for secrets, and review any existing OpenClaw hooks because setup can overwrite them. Do not paste a PromptLayer API key into chat; set PROMPTLAYER_API_KEY securely in your environment. Enable GitHub or PromptLayer sync only if you are comfortable with automatic pushes or full tracked-repository snapshots being sent to that provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares capabilities requiring environment access and network use via metadata, but does not declare corresponding permissions in a way that lets users clearly understand or consent to those operations. This is dangerous because the skill can access secrets like PROMPTLAYER_API_KEY and perform remote sync or data transfer without a clear, constrained permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description presents the feature as changelog/history tooling, but the implementation notes and onboarding reveal broader behaviors: installing hooks, capturing user/message metadata, scheduling automatic commits, pushing to GitHub, modifying config, and synchronizing with PromptLayer. This mismatch undermines informed consent and can lead to sensitive workspace content, identity metadata, and history being persisted or exfiltrated beyond what a user reasonably expects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script creates a zip of the current git HEAD and uploads it to PromptLayer, which introduces external data exfiltration behavior beyond a changelog skill's stated local git/OpenClaw handling scope. Even if limited to tracked files, this can disclose proprietary source, embedded secrets, or sensitive workspace contents to a third-party service without strong in-band disclosure or consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads an API key from the environment and uses it to register and upload data to an external service, behavior not clearly justified by the described changelog functionality. This increases the attack surface by enabling outbound transmission tied to operator credentials, and in this skill context it makes unexpected third-party data sharing more dangerous because users may reasonably expect only local git/OpenClaw operations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script does more than local changelog handling: it creates a ZIP of the current repository state and uploads it to PromptLayer. In a skill described as changelog/git history tooling, undisclosed exfiltration of workspace contents is a real security concern because repositories commonly contain proprietary code, prompts, configs, and secrets that should not be transmitted off-host by default.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script reads a PromptLayer API key from the environment and uses it to send repository data to an external API, which expands the skill's privilege and data exposure beyond ordinary changelog operations. Even if the API key itself is not uploaded, the combination of ambient credentials plus automatic outbound transfer creates a meaningful risk of unauthorized publication or leakage of sensitive workspace contents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding flow asks for a PromptLayer API key but does not include a strong warning not to paste secrets into normal chat or explain safe secret-entry handling. This creates a realistic risk that users disclose credentials in conversation logs, after which the key could be retained, exposed to other tooling, or mishandled by downstream systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The handler collects sender identity fields such as name, senderId, channel, and a timestamp, then persists them to a hidden file in the workspace without any visible consent, disclosure, retention controls, or access restrictions. This creates a privacy and data-governance risk because other components, tools, or users with workspace access may read or misuse this metadata, and the hidden filename makes the collection less transparent rather than safer.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This hook automatically performs git commits after every outbound message, but the description does not clearly warn users that their workspace changes will be staged and committed continuously. That creates a transparency and consent problem: users may unknowingly persist sensitive, partial, or unintended changes into repository history, which can later be pushed, inspected, or restored by others.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically stages all configured tracked files and later commits them without an interactive confirmation step. In an agent skill that manages changelogs and history, this can unintentionally capture sensitive edits, secrets, or unrelated work present in tracked files, especially when invoked automatically or by another tool.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When GitHub sync is enabled, the script automatically pushes the new commit to the first configured remote with no confirmation or explicit disclosure at execution time. That can transmit repository contents to an external destination, potentially exposing private code, secrets, or internal history if the remote is misconfigured, untrusted, or unexpectedly public.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When PromptLayer sync is enabled, the script invokes a Node helper to send commit metadata over the network using the commit subject. Even though this appears limited to metadata rather than full repo contents, commit subjects often include filenames, summaries, or other sensitive context, and the transfer happens without a clear runtime warning or consent prompt.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The upload occurs immediately after local checks with no explicit user-facing confirmation at the point of transmission, despite sending a full snapshot archive to a remote API. In a changelog-focused skill, this is particularly risky because users may invoke initialization expecting local versioning setup, not a bulk export of repository contents to an external provider.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code uploads a full `git archive` snapshot of `HEAD` to a remote service without any inline warning, confirmation, or granular selection of content. In the context of an agent skill, this is especially dangerous because users may assume local changelog processing while the tool silently transmits the entire tracked repository, increasing the chance of source code, intellectual property, and embedded secrets being exposed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script rewrites the user's OpenClaw config in place to enable internal hooks without prompting, backup, schema validation, or checking whether those keys already have intentional values. In an agent environment, silently changing global config can weaken user control and unexpectedly activate code paths or hooks that affect future sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer deletes existing hook destinations and replaces them unconditionally, including recursive removal of directories under the hooks path. This can destroy prior hook contents or local customizations and, in a privileged or shared workspace, may overwrite trusted automation with new code without explicit user approval.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to ask for and handle a raw PromptLayer API key in conversation, which is an unsafe secret-handling pattern. Even if the skill later stores only a SecretRef, the initial collection in chat can leak the credential through transcripts, logs, analytics, or model context, creating a direct compromise path for the user's external account.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
hooks/agent-changelog-commit/handler.ts:14

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/pl-init.js:47

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/pl-pull.js:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/pl-push.js:26

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/pl-init.js:9

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/pl-pull.js:9

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/pl-push.js:9