ClawHub

Skill Review

Security checks across malware telemetry and agentic risk

Overview

This skill largely performs a legitimate security-reporting task, but it under-discloses behavior that can alter security findings and read local VirusTotal credentials.

Install only if you are comfortable reviewing the generated report against raw ClawHub and VirusTotal results. Inspect suppressions.json before use, treat any Acknowledged status as manually adjusted, and use a limited VirusTotal API key rather than a broadly privileged local secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill metadata declares runtime requirements but does not explicitly declare permissions, while the described behavior clearly includes reading local skill files, writing a report to /tmp, making network requests to ClawHub, and accessing an environment variable for the VirusTotal API key. This mismatch is dangerous because it weakens transparency and permission review, making it easier for users or automated systems to approve a skill without understanding its actual access to local files, outbound network destinations, and sensitive environment data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill reads a VirusTotal API key from both the process environment and a user-local ~/.openclaw/.env file, which expands its access to local secrets beyond simple ClawHub page scraping. Even though the key is used for a legitimate feature, this is still credential access that is broader than the declared purpose and creates unnecessary exposure if the skill is run in a privileged developer environment.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The implementation exceeds the stated scope of scraping ClawHub skill pages by directly querying the VirusTotal API and visiting VirusTotal URLs. That hidden expansion of network behavior increases data flow to third parties and may surprise users who expect only ClawHub access, making the skill more dangerous in environments where outbound access and secret usage should be tightly bounded.

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The skill creates a persistent vt-cache directory and stores VirusTotal-derived results locally, which is additional stateful behavior not disclosed by the stated page-scraping/reporting purpose. While the cached data is not itself a credential, persistent local artifacts can retain sensitive analysis context and create privacy or integrity issues on shared systems.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def _load_vt_api_key() -> str | None:
    """Load VirusTotal API key from env or ~/.openclaw/.env."""
    key = os.environ.get("VIRUSTOTAL_API_KEY")
    if key:
        return key.strip()
    env_path = Path.home() / ".openclaw" / ".env"
Confidence
95% confidence
Finding
os.environ.get("VIRUSTOTAL_API_KEY

Credential Access

High
Category
Privilege Escalation
Content
key = os.environ.get("VIRUSTOTAL_API_KEY")
    if key:
        return key.strip()
    env_path = Path.home() / ".openclaw" / ".env"
    if env_path.exists():
        for line in env_path.read_text(encoding="utf-8").splitlines():
            line = line.strip()
Confidence
96% confidence
Finding
.env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal