ClawHub

openclaw-pc-security

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed OpenClaw and Windows security self-check tool, but target scans should only be run on systems the user owns or is authorized to test.

Install only if you want a local security audit plus optional OpenClaw service scanning. Review generated reports before sharing because they can include system, network, and configuration details. Do not run target scans or credential checks against public or third-party systems, and avoid running the bundled mock_server.py except in an isolated test environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if shell and sys.platform == "win32":
            cmd = ["powershell", "-Command", cmd] if isinstance(cmd, str) else cmd
            
        result = subprocess.run(
            cmd, 
            capture_output=True, 
            text=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8', errors='ignore', shell=shell if sys.

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises shell, file, environment, and network-capable behavior but declares no permissions or capability boundaries. This creates a transparency and consent problem: users may invoke a seemingly harmless local audit skill without understanding that it can read/write files, execute commands, and reach network resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is a local PC/OpenClaw self-check, but the documented behavior expands into remote target scanning, active credential checks, external API access, and broader vulnerability probing. That mismatch is dangerous because it can mislead users into authorizing intrusive or legally sensitive actions they did not reasonably expect from the description.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill is described as a local self-check, but this function reaches out to the npm registry to resolve package versions. That creates unexpected outbound network activity and metadata disclosure about the user's environment, which is a security/privacy concern because it exceeds the declared local-only scope.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The implementation performs substantially broader host inspection than the skill metadata suggests, including OS patching, AV status, browser versions, Node.js, and CLI version enumeration. That scope expansion increases sensitivity of collected data and undermines informed consent, making the skill more dangerous in context because users would reasonably expect only a narrow OpenClaw exposure check.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements a real HTTP server with authentication-like behavior, which materially exceeds the stated purpose of a local security self-check that should only inspect local configuration and generate a report. Even if labeled as a mock server, bundling network-listening and credential-handling code into this skill increases attack surface and creates an opportunity for accidental exposure, misuse, or repurposing.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code starts a listening HTTP service on all interfaces using TCPServer(("", PORT), ...), making the mock service reachable from the network rather than limiting it to local-only access. In the context of a PC security self-check skill, this is especially risky because the declared functionality does not justify opening a port, so the behavior is unexpected and could expose test endpoints or misleading security signals.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The login handler contains hardcoded credentials ('admin'/'openclaw') and returns a static token, which normalizes insecure authentication patterns and could be abused directly if the mock server is exposed. Within a skill whose purpose is security self-assessment, including credential processing unrelated to reporting is particularly dangerous because it conflicts with least functionality and may be mistaken for legitimate auth logic.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is described as a local PC/OpenClaw self-check, but the script accepts arbitrary remote targets and bulk target lists, materially expanding it into a general network scanner. That mismatch can cause users to run broader scans than intended, creating unauthorized scanning risk and violating least-surprise expectations for a supposedly local-only tool.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill claims to generate a local report, yet it optionally contacts external npm and MSRC services and can download/cache CVRF data. This expands the trust boundary and can leak usage metadata or host interest in specific software/CVEs, which is significant when users expect a strictly local self-check.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
These routines collect detailed local system information via shell commands, including Windows version and installed hotfixes, without a specific disclosure of what is being enumerated. In a security-audit skill this may be functionally relevant, but the lack of explicit notice/consent is still risky because it silently expands host reconnaissance.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script probes local config file locations and inspects listening addresses/ports, which can reveal sensitive deployment and exposure details. For this skill's purpose the behavior is relevant, but doing it without explicit user warning or path disclosure makes it a transparency/privacy issue rather than purely benign auditing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal