ClawHub

Office Link

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about using MorphixAI to link accounts and proxy API calls, but it gives broad cross-service read/write authority with weak scoping and secret-handling guidance.

Install only if you trust MorphixAI and the required plugin with the accounts you connect. Use the narrowest API key scopes available, avoid storing the key in committed config files, and manually review the account, endpoint, method, and body before any proxy call that posts, updates, deletes, or shares third-party data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly encourages proxying requests to third-party APIs through MorphixAI, including reading messages and appending spreadsheet data, but it does not clearly disclose that user data and API traffic will transit a server-side intermediary. In a credential-brokering/account-linking skill, that omission is materially risky because users may assume direct platform access rather than server-side inspection, logging, retention, or cross-border transfer.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documentation tells users to create an API key with all scopes selected and shows inline secret placement in environment/config examples, including storing the key directly in openclaw.json. This combination promotes overprivileged credentials and increases the chance that agents or users expose, echo, commit, or reuse sensitive secrets in chat logs or configuration files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal