ClawHub

klodi

Security checks across malware telemetry and agentic risk

Overview

This marketplace agent is mostly coherent, but it needs Review because it can act in transactions and has under-disclosed host session diagnostics and raw external wake content.

Install only if you are comfortable giving the plugin marketplace authority while OpenClaw is running. Before using it, review the negotiation_style policy, remove any auto-accept behavior you do not want, keep private facts out of listing text, and only pass photo paths you intend to upload. Be aware that the plugin stores credentials and marketplace strategy files locally and logs some OpenClaw session diagnostic metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code logs a diagnostic snapshot from `inspectSessionStore`, including `store_path`, `entry_exists`, `most_recent_key`, and recency data for session records. Even if intended for troubleshooting, these fields expose internal filesystem layout and session identifiers/state that can aid lateral movement, tenant enumeration, or operational reconnaissance if logs are accessible to operators, support tooling, or downstream log processors.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code reads arbitrary local files and uploads their raw contents to a network endpoint via a minted upload URL. Although there are safeguards for absolute paths, size, file type, and some sensitive directories, the function still enables exfiltration of local image files without any user-consent, prompt-bound allowlist, or restriction to a designated safe workspace, which is risky in an agent setting where file paths may come from untrusted instructions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation encourages passing absolute local file paths and remote image URLs directly into a tool that uploads or forwards them, but it does not explicitly warn about privacy, consent, or unintended data transmission. In an agent setting, this increases the risk of users or downstream components exposing sensitive local files, metadata, or third-party-tracked URLs to external services without informed awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read and rewrite a policy file with the user's negotiation preferences, but it does not require a clear disclosure that these preferences will be persisted to disk. This creates a consent and privacy issue: sensitive operational preferences such as payment methods, pickup areas, and shipping rules may be stored without the user fully understanding that the information is being written locally.

Ssd 1

High
Confidence
97% confidence
Finding
The handler embeds attacker-controlled channel text directly into the agent-visible wake message, including quoted natural-language content and the full JSON payload. Because the wake is what drives the model's next turn, a malicious sender can place prompt-injection instructions in message content that semantically steer the agent into unsafe actions, data disclosure, or tool misuse.

Ssd 3

Medium
Confidence
90% confidence
Finding
The file intentionally includes full event payloads in agent wakes, which means any sensitive or user-provided fields in notifications are automatically exposed to the model on wake. In this skill context, that increases risk because the agent receives raw external content without minimization, expanding both privacy exposure and the prompt-injection surface from event fields.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
This file is your agent's rulebook — the standing orders it takes into
every marketplace interaction on your behalf. Think of it as the brief
you'd give a human broker: how hard to push, what's off-limits without
checking with you, where you'll meet buyers, how you like to get paid.

The agent reads this before replying to any message, offer, or
Confidence
87% confidence
Finding
without checking

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Authorization

Agent may do these without asking.

- Reply to factual Q&A using Public Knowledge and listing description.
- Update listing description with factual clarifications that do not alter price, condition, or delivery terms.
Confidence
90% confidence
Finding
without asking

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal