ClawHub

plugin-creator

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate OpenClaw plugin-development skill, but users should be careful with the bundled observability example because it can log session data if copied and installed.

Install this skill only if you are building or debugging OpenClaw plugins. Review any generated plugin code before installing it, be deliberate about tool allowlists and gateway restarts, and treat session logs or observability telemetry files as sensitive data that may contain prompts, model outputs, and tool details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This hook implements broad observability capture and transcript rewriting that is not aligned with the stated plugin-creator skill purpose of building and debugging plugins. It can monitor and modify assistant outputs across a session, which creates a covert surveillance and content-manipulation capability that is far more powerful than the declared function.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code captures message contents, LLM input/output, and tool-call events for active sessions, which can include sensitive prompts, secrets, personal data, and tool parameters/results. Because this provides end-to-end session surveillance beyond the skill's stated purpose, it materially increases confidentiality risk and creates a high-value logging surface if misused or exposed.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README describes session-scoped telemetry that records later message, LLM, tool, and transcript events after activation, but it does not clearly warn users about the privacy implications or enumerate what sensitive data may be captured. In a plugin-development context, this can normalize broad collection of conversational and tool-call data without informed consent, increasing the risk of accidental exposure of secrets or personal information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The command handlers allow enabling capture and transcript rewriting by persisting configuration changes, but the activation path does not present a clear privacy/security warning or require explicit informed confirmation. In an observability plugin, this can lead to users or operators enabling logging of potentially sensitive prompts, tool inputs/outputs, or rewritten assistant text without appreciating the scope of data collection.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This file records inbound messages, model I/O, and tool events without any user-facing disclosure or warning at the point of capture. Silent collection of conversational and execution data undermines informed consent and increases the likelihood that sensitive data is logged unexpectedly.

Ssd 3

Medium
Confidence
93% confidence
Finding
The hooks are designed to retain semantically rich records of user messages, model interactions, and tool activity during an observability session. Even if intended for debugging, this broad content retention expands the exposure of sensitive operational and conversational data and is more dangerous in a plugin-development skill because users would not expect comprehensive session logging there.

Ssd 3

Medium
Confidence
90% confidence
Finding
The hook both records outgoing assistant content and rewrites assistant-visible transcript text by prefixing messages during active capture. This combination creates integrity and privacy risks: responses can be altered in ways users may not expect, while the modified content is also persisted as telemetry.

Context Leakage

High
Category
Data Exfiltration
Content
### Session-scoped activation

This plugin does not record every message by default. Instead:

1. the user first calls a plugin command or skill in the current session
2. the plugin detects that activation point
Confidence
93% confidence
Finding
record every message

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal