ClawHub技能探索工具

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as a ClawHub search/explorer tool, but its bundle includes credentialed publishing, ranking-optimization automation, hardcoded local paths, and unsafe shell command construction.

Review before installing. Treat this as more than a read-only explorer: it can run shell commands, star skills, publish/update ClawHub listings, write local config files, and contains an exposed token that should be revoked. Only use it in a tightly controlled environment after removing the maintenance/publish scripts, replacing os.popen with safe subprocess calls, validating slugs, and deleting the hardcoded credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (25)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: def _execute_clawhub_cmd(self, cmd: str) -> str: """Execute ClawHub CLI command""" try: result = os.popen(cmd).read().strip() return result except Exception as e: print(f"❌ Error executing command: {e}")
Confidence: 98% confidence
Finding: result = os.popen(cmd).read().strip()

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 执行更新命令，增加超时时间 log_message("执行clawhub publish命令...") result = subprocess.run(["clawhub", "publish", "/Users/sunyanguang/.openclaw/workspace/custom-skills/clawhub-skill-explorer", "--name", "ClawHub技能探索工具", "--version", "1.0.0",
Confidence: 95% confidence
Finding: result = subprocess.run(["clawhub", "publish", "/Users/sunyanguang/.openclaw/workspace/custom-skills/clawhub-skill-explorer", "--na

subprocess module call

Medium

Category: Dangerous Code Execution
Content: log_message("API调用频率过高，将在10分钟后重试...", "WARNING") time.sleep(600) # 等待10分钟 log_message("10分钟后重试技能更新...") result = subprocess.run(["clawhub", "publish", "/Users/sunyanguang/.openclaw/workspace/custom-skills/clawhub-skill-explorer", "--name", "ClawHub技能探索工具", "--version", "1.0.0",
Confidence: 94% confidence
Finding: result = subprocess.run(["clawhub", "publish", "/Users/sunyanguang/.openclaw/workspace/custom-skills/clawhub-skill-explorer",

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill metadata/documentation does not declare permissions, yet the analyzed behavior indicates access to file read/write, network, and shell capabilities. This creates a significant trust and review gap because users may install a seemingly simple discovery tool that can modify local files, execute commands, and communicate externally without transparent disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose is a search/browse tool, but the observed behavior includes publishing, modifying local configuration, external HTTP requests, unrelated automation workflows, and use of a hard-coded ClawHub token. This mismatch is highly dangerous because it can hide privileged or account-impacting operations behind an innocuous description, increasing the risk of covert exfiltration, unauthorized account actions, or system changes.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The runbook instructs the skill to inspect, generate, and then publish updated skill metadata, which goes beyond the stated purpose of merely exploring and navigating skills. This creates a capability mismatch that could let the agent modify marketplace-facing content, manipulate rankings, or perform unauthorized changes under the guise of a search/navigation tool.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The state file describes a scheduled process to optimize descriptions and keywords specifically to maintain platform ranking, which goes beyond the declared skill purpose of search and navigation. This creates a clear scope mismatch and suggests the skill may be used for automated SEO manipulation rather than user-facing discovery, increasing the risk of platform abuse and deceptive behavior.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Automated nightly ranking optimization is an unjustified capability for a tool intended to help users explore skills. Persistent scheduled updates aimed at improving ranking can be abused to game platform algorithms, consume API quota, and alter published metadata without a user-driven need.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This script performs local state modification by rewriting a workspace config file even though the skill is presented as a search/navigation tool. That mismatch expands the skill's effective privileges and can enable unauthorized behavior changes to another component's API settings, which is risky in agent environments where users may not expect file writes from a discovery tool.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code writes directly to a hard-coded absolute path under a local workspace, which can modify files outside the immediate execution context without user choice. Hard-coded filesystem writes are dangerous because they can overwrite sensitive configuration, break portability, and create an unexpected persistence mechanism for changing agent behavior.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill is presented as an explorer/navigation tool, but it includes a `favorite` operation that changes remote account state by starring a skill. This is a capability expansion beyond the stated purpose, which can mislead users and increases risk of unintended actions, especially when combined with shell-based command execution.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: A search/browse helper should not need arbitrary shell execution to fulfill its purpose, yet this code provides a generic command-execution wrapper. That unnecessary power significantly increases the attack surface and makes later misuse, including injection through untrusted inputs, much more dangerous in the context of a simple discovery tool.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The CLI exposes a `favorite` command even though the skill metadata describes search and category browsing. This mismatch can cause users to invoke account-affecting behavior they did not expect from an explorer tool, making the capability more dangerous than it would be in a clearly administrative or account-management context.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is described as a tool for exploration and navigation, but this file performs publication of the skill itself. That mismatch is security-relevant because users and reviewers may grant the skill permissions or trust assumptions appropriate for browsing, while the code actually performs release operations that modify external state.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Executing an external 'clawhub publish' command is a privileged capability unrelated to a skill-exploration tool's stated purpose. In this context, hidden publishing behavior is dangerous because it can trigger unauthorized releases or modify repository/platform state without users expecting operational side effects.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The top-level documentation frames the module as part of a skill exploration tool, while the implementation is a delayed publisher. This kind of misleading labeling increases the chance that dangerous operational code bypasses review or is executed in a context where publication behavior is unexpected.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file belongs to a skill described as a search and navigation tool, yet it performs automated publishing and metadata updates to the skill listing. This mismatch is dangerous because users and reviewers may grant trust based on benign functionality while the code carries hidden remote modification capabilities.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: A hardcoded authentication token is embedded directly in source, and the script combines it with external publishing capability unrelated to the skill's stated purpose. Anyone who obtains the code can reuse the credential to access or modify remote resources, and the surrounding behavior suggests potential unauthorized publication actions.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The comment says the token is directly configured 'to ensure safety,' but the implementation hardcodes the secret in plaintext. This is dangerous because it can mislead reviewers into trusting an obviously insecure pattern and normalizes unsafe credential handling.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script includes a capability to publish the skill to ClawHub, which is unrelated to the declared end-user function of searching and browsing skills. In an agent-skill context, hidden maintenance or release actions expand the trust boundary and can trigger unintended external side effects such as publishing modified content.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The code modifies local configuration, changes version metadata, and prepares the package for release, which exceeds the stated scope of a discovery/navigation skill. In practice, this means the skill can mutate local files and alter deployment state, increasing risk if the agent or user expects a read-only browsing utility.

Missing User Warnings

High

Confidence: 99% confidence
Finding: `get_skill_details` builds `clawhub inspect {slug}` from a user-controlled `slug` and passes it into `os.popen`, allowing direct shell injection. A crafted slug containing shell metacharacters could run arbitrary commands on the local system, which is especially severe because this function is exposed through the CLI `view` command.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The favorite action executes `clawhub star {slug}` via the shell using user-supplied input and performs a remote state-changing operation without clear safety controls. This creates two risks at once: local command injection on the host and unintended modification of the user's remote favorites/account state.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script accesses a hardcoded credential without any user-facing disclosure, consent, or warning. In the context of a seemingly benign exploration skill, hidden credential use materially increases risk because users would not expect the package to contain or exercise privileged access to external services.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script performs a skill publishing operation automatically and without explicit user confirmation. This is dangerous because it introduces a remote state-changing side effect that an end user of a search/navigation skill would not reasonably anticipate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal