ClawHub

OpenClaw故障排除工具

Security checks across malware telemetry and agentic risk

Overview

This troubleshooting skill appears intended to help, but its repair mode can make broad lasting changes to Python packages and workspace permissions without clear consent.

Install only if you are comfortable with it changing your local Python environment and OpenClaw workspace. Avoid running quick_start.py or fix all on an important workspace without a backup; prefer reviewing and running dependency installs and permission repairs manually, especially the chmod -R 755 behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (26)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # Fix workspace permissions
            if os.path.exists(self.workspace_dir):
                subprocess.check_output(['chmod', '-R', '755', self.workspace_dir])
            
            # Fix custom skills directory permissions
            custom_skills_dir = os.path.join(self.workspace_dir, 'custom-skills')
Confidence
94% confidence
Finding
subprocess.check_output(['chmod', '-R', '755', self.workspace_dir])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Fix custom skills directory permissions
            custom_skills_dir = os.path.join(self.workspace_dir, 'custom-skills')
            if os.path.exists(custom_skills_dir):
                subprocess.check_output(['chmod', '-R', '755', custom_skills_dir])
            
            print("✅ 权限修复完成")
            return True
Confidence
94% confidence
Finding
subprocess.check_output(['chmod', '-R', '755', custom_skills_dir])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try to install with --break-system-packages flag
            try:
                for package in missing_packages:
                    subprocess.check_output([sys.executable, '-m', 'pip', 'install', package, '--break-system-packages'])
                
                print("✅ 依赖项安装完成")
                return True
Confidence
96% confidence
Finding
subprocess.check_output([sys.executable, '-m', 'pip', 'install', package, '--break-system-packages'])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try to install with --user flag
                try:
                    for package in missing_packages:
                        subprocess.check_output([sys.executable, '-m', 'pip', 'install', package, '--user'])
                    
                    print("✅ 依赖项安装完成")
                    return True
Confidence
94% confidence
Finding
subprocess.check_output([sys.executable, '-m', 'pip', 'install', package, '--user'])

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises automated diagnosis, repair, optimization, dependency installation, and cache management, which are capabilities that can touch environment state, files, network access, and shell execution, yet no permissions are declared. This creates a transparency and trust problem: users and hosts cannot accurately assess or constrain what the skill may do before execution, increasing the risk of unexpected system modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
If the static finding is accurate, the described troubleshooting skill performs materially different and more sensitive actions than its stated purpose, including metadata modification, publishing, permission changes, dependency installation, and release testing. That mismatch is dangerous because users may invoke a diagnostic tool expecting analysis only, while it can alter the workspace, change permissions recursively, or publish artifacts—actions with significant integrity and supply-chain consequences.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description frames the capability as troubleshooting and performance optimization, but the implementation performs direct environment mutation, package installation, permission rewriting, and directory creation. This mismatch is security-relevant because users may grant trust for diagnostics while the tool silently performs invasive changes beyond that expectation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Executing package-management commands and recursive permission changes is disproportionately invasive for a generic troubleshooting skill and can materially affect system integrity and data exposure. In this context, the skill's broad repair actions make the static findings more dangerous because users may invoke it expecting low-risk diagnostics.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script includes package publication capability even though the skill is presented as a troubleshooting tool, creating hidden release-side effects that exceed user expectations. In a skill context, unexpected publish behavior increases supply-chain risk because a user or automation could trigger artifact release from a repository that appears focused only on diagnostics.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script executes external test and publish subprocesses that are not necessary for ordinary troubleshooting functionality, broadening the skill's operational scope. This is dangerous because agent ecosystems may run packaged helper scripts with elevated trust, and hidden external execution can lead to unintended actions in CI/CD or user environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The publication guide advertises automatic dependency installation and permission repair as core features without any warning that these actions modify the host system. In a troubleshooting skill, users are likely to run such actions with elevated trust, which increases the chance of unintended package changes, permission misconfiguration, or broader system impact.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide provides direct commands for broad repair actions such as 'fix all' and permission/dependency fixes without cautioning that they may alter system state or be difficult to undo. Because this is operational documentation, users may execute the commands verbatim, creating a realistic risk of unintended destructive or security-relevant changes if the underlying script is overly broad.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic repair capabilities such as installing dependencies, fixing permissions, and repairing workspace structure, but it does not warn users that these actions can change the local system state. In a troubleshooting skill, users may run repair commands with high trust, so undocumented side effects can lead to unintended package installation, permission changes, or filesystem modifications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The description promises automatic fixes, dependency installation, path/permission repair, and cache cleanup without clearly warning that the skill may modify user or system state. Even if intended to help, silent or poorly disclosed state changes can break environments, remove needed cache data, alter permissions unsafely, or install untrusted packages.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example automatically invokes repair functions that may change dependencies, workspace state, or permissions without any user confirmation, preview, or dry-run. In a troubleshooting skill, these actions can modify the local environment in unexpected ways and may cause configuration drift, broken setups, or unsafe permission changes if diagnosis is incorrect or overly broad.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic dependency installation changes the Python environment without warning or confirmation, including the especially risky `--break-system-packages` option. This is dangerous because it can break managed environments, introduce unreviewed third-party code, and violate user expectations for a troubleshooting utility.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Recursive permission changes are performed without any prior warning, which can expose files, alter executability, and cause unintended access-control changes across an entire tree. In a skill context, silent filesystem permission mutation is risky because users may not anticipate broad security-impacting changes from a repair command.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Creating directories without warning is a lower-severity issue, but it is still an unauthorized filesystem modification that can surprise users and alter workspace state. In a troubleshooting tool, silent creation is less severe than package installation or chmod, yet it still violates the principle of explicit user consent for write operations.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.2
lxml>=5.1.0
json5>=0.9.14
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.2
lxml>=5.1.0
json5>=0.9.14
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
beautifulsoup4>=4.12.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.2
lxml>=5.1.0
json5>=0.9.14
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
lxml>=5.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.2
lxml>=5.1.0
json5>=0.9.14
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
json5>=0.9.14

Unpinned Dependencies

Low
Category
Supply Chain
Content
beautifulsoup4>=4.12.2
lxml>=5.1.0
json5>=0.9.14
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
82% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
86% confidence
Finding
lxml

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal