ClawHub

AEGIS

Security checks across malware telemetry and agentic risk

Overview

AEGIS appears purpose-built for crisis monitoring, but it needs Review because it can store secrets, post automated Telegram alerts, and optionally send sensitive crisis/location context to third-party LLM endpoints with incomplete disclosure.

Install only if you are comfortable with an automated crisis-alerting tool. Test scans manually before enabling cron, use a dedicated low-privilege Telegram bot, protect ~/.openclaw files, avoid --show around logs or screen sharing, and prefer local Ollama over a cloud LLM for sensitive deployments. Verify urgent alerts against official emergency and embassy sources before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Tainted flow: 'SEEN_FILE' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_seen(seen):
    """Save seen content hashes."""
    DATA_DIR.mkdir(parents=True, exist_ok=True)
    with open(SEEN_FILE, 'w') as f:
        json.dump(seen, f)

def content_hash(text):
Confidence
86% confidence
Finding
with open(SEEN_FILE, 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents use of environment variables, local file reads/writes, shell/cron execution, and outbound network access, but does not declare corresponding permissions. That creates a transparency and consent gap: users or platforms may authorize the skill under false assumptions while it can persist config, schedule tasks, fetch remote data, and send messages externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior goes beyond the headline description by storing sensitive configuration, supporting external LLM endpoints, posting to Telegram, and managing cron automation. While these features are related to alerting, the incomplete description can mislead users about persistence, external transmission, and automation, increasing the risk of over-privileged deployment or accidental data exposure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation states that no data is sent externally beyond listed sources, but later permits arbitrary OpenAI-compatible LLM endpoints for verification. This is a data-flow misrepresentation: source content, possibly including user location or alert context, could be transmitted to third-party services not covered by the earlier disclosure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The outbound-connections section claims the scanner contacts only enumerated destinations, yet later configuration allows additional arbitrary LLM endpoints. This inconsistency can cause users and security reviewers to underestimate external data exposure and trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The channel publisher is documented as a formatter/poster, but it also directly loads decrypted secrets from a shared secrets store and a development .env file, expanding variables and injecting them into process environment state. This broadens the component's privilege and secret access unnecessarily, increasing blast radius if the script is modified, misused, or compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The onboarding flow collects API credentials and stores them directly in a local JSON config file, which is plaintext by default. On multi-user systems, compromised endpoints, backups, or accidental file disclosure, these secrets can be recovered and abused to access third-party services or infer sensitive monitoring behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The --show path prints the entire configuration object verbatim, which includes stored API keys and LLM credentials. This can expose secrets to shell history capture, terminal logs, screen sharing, support transcripts, or any process/user able to observe the session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README tells users to export a Telegram bot token and channel ID but does not warn that the bot token is a sensitive secret that must not be committed, logged, shared, or embedded in shell history. In a security-sensitive alerting skill, mishandling this token could let an attacker hijack the bot, read or send messages as the alerting system, and undermine trust in emergency notifications.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill supports Telegram delivery but does not clearly warn that alert contents will be transmitted to Telegram once bot credentials are configured. Even if expected functionally, users should be explicitly informed that message text and metadata leave the local environment and become subject to Telegram's security and retention model.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cloud LLM configuration example encourages sending alert content to a third-party API but does not warn users that potentially sensitive location, safety, or incident data may leave the local environment. In a crisis-monitoring skill, that omission can lead users to unknowingly disclose highly sensitive operational or personal context to external providers, increasing privacy and surveillance risk.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The guidance abruptly switches to UAE-specific evacuation routes and assumptions without clearly labeling the section as region-specific or asking the user to confirm they are in the UAE. In an emergency-preparedness skill, users may over-trust the content and apply these routes or airport/border assumptions outside the UAE, causing dangerous delays, misrouting, or movement toward unsafe locations.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The file’s description and severity logic explicitly hinge on triggering urgent alerts based on the user’s country, but the artifact shows no accompanying mechanism for explicit regional opt-in, locale handling, or consent boundaries. In a crisis-alert skill, this can cause users to receive alarming, high-urgency notifications that are irrelevant, mislocalized, or not appropriate for their jurisdiction, increasing panic and reducing trust in genuine alerts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script republishes text scraped from external sources directly to Telegram with only relevance filtering and truncation, but no sanitization, provenance checks, or explicit consent/notice controls. In this skill context, broadcasting crisis alerts makes misinformation or maliciously crafted source text more dangerous because it can trigger panic, unsafe movement, or trust erosion.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script asks users for sensitive API keys and persists them without clearly stating they will be stored locally in plaintext. This creates an informed-consent and security hygiene problem: users may provide credentials assuming safer handling than actually occurs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The scanner transmits item title/description plus country context to an LLM endpoint, and in openai-compatible mode this may send potentially sensitive user-location-adjacent data and fetched content to third-party infrastructure. In a crisis-monitoring skill, location context is especially sensitive because it can reveal where a user is monitoring or potentially located during a conflict.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code constructs external API queries from city, country, language, and key material, then sends them to remote services without any explicit user-consent or disclosure mechanism in this code path. Because this skill handles warzone and civilian safety monitoring, sharing location-derived queries with third parties increases privacy risk and may expose sensitive patterns of user interest or presence.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal