ClawHub

Auto Skill Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it scans installed OpenClaw skills and sends recurring reports, with the main risks being disclosed automation and broad report delivery.

Install only if you want ongoing daily security scans of your OpenClaw skills. Confirm that every active Telegram, Feishu, or other OpenClaw channel is an appropriate place to receive security summaries, and review/remove the created OpenClaw cron jobs when you no longer want automated reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises capabilities to read installed skills, send network reports, and invoke shell/cron behavior, but it declares no permissions. This creates a transparency and consent problem: users and policy engines cannot accurately assess or restrict what the skill can do, while the combination of file access, networking, and shell execution materially expands abuse potential if the implementation is compromised or overly broad.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is scanning and reporting, but the described behavior also includes enumerating active channels, reading session configuration, and installing persistent cron jobs through external commands. That mismatch is dangerous because it hides persistence and broad message dissemination behind a benign security-tool framing, reducing informed consent and making covert data distribution or unwanted automation easier.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script silently modifies OpenClaw scheduler state by creating persistent cron jobs, which exceeds the expected scope of a tool presented as a scanner/reporter. Persistence-changing behavior without explicit opt-in is dangerous because it can cause ongoing automated execution and reporting that the user did not knowingly authorize.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code enumerates session delivery targets from local OpenClaw session configuration to discover where to send results. For a scanning skill, harvesting active channels and recipient identifiers is over-privileged and creates privacy and data-routing risk, especially when combined with automatic scheduler setup.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill says reports are pushed to channels, but it does not clearly warn users that it will automatically discover active messaging channels and send results to all configured destinations. In a security-scanning context, reports may contain sensitive file names, findings, or operational metadata, so broad automatic distribution increases the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation mentions daily automation, but it does not provide a strong, explicit warning that first activation creates a recurring cron job that continues running without further user action. Hidden persistence is risky because it changes system state, can repeatedly access files and networks, and may continue operating after the user forgets it was enabled.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script creates cron jobs and discovers active channels without any explicit confirmation, warning, or setup step. In skill ecosystems, silent persistence and background automation are risky because they can change system behavior and continuously act on behalf of the user without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal