ClawHub

Native Scripts

Security checks across malware telemetry and agentic risk

Overview

This skill is a small monitoring script bundle, but it sends local system and usage details to Telegram with hardcoded recipient and SSH information that users may not expect.

Review before installing. Replace or remove the hardcoded Telegram chat ID and SSH address, confirm exactly which bot token is used, run only as an unprivileged user, and enable systemd timers only after you are comfortable with the recurring Telegram telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill advertises shell-based automation behavior but does not declare permissions or clearly signal that it will execute native scripts. In a security review context, undeclared shell capability reduces transparency and can cause users or platforms to authorize a skill without understanding its operational reach.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose emphasizes local monitoring and cost tracking, but the behavior includes outbound Telegram communication, use of locally stored bot credentials, and potentially disclosure of sensitive operational details to an external recipient. That mismatch is dangerous because users may deploy it expecting local-only automation while the skill exfiltrates status data and identifiers off-host.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The heartbeat message embeds a direct SSH target (`mark@100.67.51.118`) in a Telegram notification that is sent to an external service. This unnecessarily discloses infrastructure access details to anyone with access to the chat, Telegram account, bot logs, or intercepted message history, increasing the attack surface for targeted intrusion attempts.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script exfiltrates operational status to an external Telegram endpoint and includes explicit SSH connection details in the alert body. For a local watchdog utility, this materially expands the capability surface and leaks infrastructure metadata to a third party, which could aid unauthorized access or reconnaissance if the bot token, chat, or recipient are misconfigured or compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that status reports and alerts are sent to Telegram but does not clearly warn that system state, usage, and possibly infrastructure metadata leave the machine. This lack of disclosure can lead to unintended external sharing of operationally sensitive information such as uptime, process health, costs, and host details.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Referencing API keys in a local .env file without any warning about secret handling encourages unsafe credential practices and normalizes broad script access to sensitive data. In a shell automation skill, this increases the chance of accidental leakage through logs, subprocesses, misconfigured permissions, or outbound notifications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends operational telemetry including service status, model name, session counts, uptime, disk, memory, alert counts, and cumulative spend to Telegram without any consent gate or minimization. This leaks internal environment and business-usage data to a third-party platform and could aid reconnaissance if the bot, chat, or Telegram account is compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends system state and connection details to Telegram without any visible consent, disclosure, or minimization. This creates a privacy and security risk because outage events, account names, and server access information are transmitted off-host to an external service and recipient that may not be adequately controlled.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently reads a bot token from a local config and uses it for external messaging, which is sensitive credential use without transparency. Although merely reading a token is not exploitation by itself, undisclosed credential harvesting and immediate use for outbound communications is risky in an agent skill because it may surprise operators and broaden the trust boundary.

Credential Access

High
Category
Privilege Escalation
Content
Scripts read configuration from:
- ~/.openclaw/openclaw.json (Telegram token, model pricing)
- ~/.openclaw/.env (API keys)

## License
Confidence
80% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal