ClawHub

Zworker

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Zworker-control purpose, but it needs review because it can collect user IDs broadly, misroute notifications, and change local automations through an unauthenticated local API.

Install only if you trust the local Zworker app and are comfortable giving it control over automation tasks, schedules, user identifiers, and notification routing. Before use, restrict user-ID collection to an approved OpenClaw source, require explicit confirmation for sync, forwarding, task execution, and schedule changes, and do not allow notifications to be sent when userid is missing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instruction to obtain missing user IDs 'by any means' expands the agent's data-collection scope beyond the immediate task and encourages access to additional sources without clear authorization boundaries. This can lead to unnecessary collection of personal identifiers and onward transmission to the local zworker service.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The documentation first says user data must be sourced from openclaw.json, but later says it comes from cli/gateway tools, creating ambiguity about authorized data sources. This inconsistency can cause the agent to pull identifiers from unintended locations, increasing privacy and integrity risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is designed to synchronize user identifiers and forward messages over HTTP, but it does not clearly warn about the privacy implications or require user consent before handling personal data. This makes accidental disclosure more likely, especially when the skill is triggered by broad natural-language requests.

Missing User Warnings

High
Confidence
99% confidence
Finding
Allowing message delivery to a default-bound or recent user when userid is empty creates a direct misdelivery risk, because notifications may be sent to the wrong person without positive recipient verification. In a messaging workflow, that can expose sensitive task results or operational data to unintended recipients.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes task-execution and schedule-control endpoints that can trigger actions and change system state, but it provides no safety guidance, confirmation requirements, or warnings about operational impact. In the context of an agent skill, this increases the chance that an LLM or integrator will invoke these endpoints too freely, causing unintended task runs or schedule changes on a localhost service with no authentication.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document describes syncing user/channel identifiers and forwarding notification data while explicitly stating that the local API requires no authentication. That combination creates a real risk of unauthorized access, privacy leakage, and tampering with user-routing metadata if any local process or an overly permissive agent can reach the service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs a state-changing operation that disables a schedule immediately based on CLI input, with no confirmation, dry-run, or secondary validation before calling the API. In the context of an agent skill that can be triggered from user requests, this increases the risk of accidental or unauthorized disruption of automation tasks, especially if the target schedule is selected by name and may be ambiguous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script retrieves notification data from a local service and prints `channel`, `userid`, `message`, and even the full `raw` payload to stdout. In an agent skill context, stdout is often consumed by other tools, logs, or downstream automation, so this can unintentionally disclose sensitive user data and message contents beyond the minimum needed for the task.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits user identifiers (`channel`, `userid`) to the zworker service over plain HTTP via `BASE_URL = "http://localhost:18803"` without transport encryption or any warning that sensitive metadata is being sent. Although the destination is localhost, this still exposes data to local interception, proxying, container/VM boundary issues, or accidental reconfiguration to a non-local endpoint, and there is no authentication or disclosure mechanism in this client.

Ssd 3

High
Confidence
98% confidence
Finding
The language instructing the agent to obtain missing user IDs through any available means and then sync them onward creates a natural-language data exfiltration path. In context, this is more dangerous because the skill already has both file-read and network behavior, so the instruction can bridge local data discovery with external transmission to another process/service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal