ClawHub

Wip Universal Installer

Security checks across malware telemetry and agentic risk

Overview

This is a real installer, but it can make broad persistent changes to local agent and npm configuration without enough scoping or consent.

Install only for repositories and publishers you trust. Run --dry-run first, inspect package.json scripts, MCP servers, hooks, and plugin files before installation, and expect possible changes to global npm binaries plus Claude/OpenClaw/LDM configuration. This does not show credential theft or exfiltration, so it is Review rather than malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a true security issue because the documented purpose understates materially riskier behavior: global package installation, delegation to an external command, cloning remote repositories, deleting prior installs, and editing user configuration files. An installer that silently performs system-wide changes and trust-sensitive config mutations can be abused for supply-chain compromise, persistence, or destructive changes, especially when users invoke it expecting only interface detection and installation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer edits the source repository's .gitignore by adding .claude/worktrees/, which is outside the narrow scope of detecting interfaces and installing them. Modifying a user's repo contents is a persistent side effect that can silently alter version-control behavior and is especially risky because it happens automatically during install without explicit opt-in.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The installer attempts to bootstrap and delegate to LDM OS by globally installing @wipcomputer/wip-ldm-os and then handing off execution to ldm install. That expands the trust boundary from installing the target repo to installing and executing unrelated global infrastructure code, creating a software supply chain and privilege-risk issue that is not implied by the stated purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code unconditionally runs npm install -g @wipcomputer/wip-ldm-os when LDM is absent, even though the tool is presented as an installer for a target repo. Automatically adding unrelated global software introduces avoidable supply-chain exposure and can execute additional postinstall logic outside the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs users to perform global package installation and to modify agent configuration files in home directories (for example, ~/.openclaw/extensions/ and ~/.claude/settings.json) without any warning, consent flow, or discussion of security implications. In the context of an installer for agent-native software, this is risky because it normalizes persistent system and agent-environment changes that could enable unreviewed code execution, expanded trust boundaries, or hard-to-notice persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage documentation presents installation as routine but does not warn that commands may clone untrusted remote repositories and modify local system or user-agent configuration. In the context of an agent skill, that omission is dangerous because users may authorize execution without understanding that it can make persistent local changes and pull code from external sources.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The migration routine deletes extension directories, skill directories, registry entries, and MCP registrations using rm -rf and config rewrites without prompting the user at the moment of action. Even if intended as migration cleanup, these are destructive operations that can remove working installs or user customizations if matching logic is wrong or incomplete.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer silently attempts to install global LDM infrastructure and then delegates installation flow to it, with only minimal console messaging and no explicit consent gate. Installing and executing new global software is a high-trust action, so doing it automatically is unsafe and can surprise users in locked-down or sensitive environments.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal