ClawHub

claw-sentinel

Security checks across malware telemetry and agentic risk

Overview

This governance plugin is mostly purpose-aligned, but it includes a setup routine that directly changes local OpenClaw authorization files and restarts the gateway without a clear approval or rollback flow.

Review before installing. The core plugin behavior is coherent for cost control and DLP, and VirusTotal is clean, but the bundled setup routine should not be used unless you are comfortable with it changing OpenClaw device permission files, clearing pending approvals, and restarting the gateway. Prefer a version that removes direct authorization-file patching or uses the normal OpenClaw approval flow with confirmation, backup, and rollback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that the plugin scans inbound messages and model responses for secrets/PII and later notes that the claude-cli runtime tails session JSONL files under ~/.claude/projects/. Even if the stated purpose is protective, monitoring conversation content and local session logs without a prominent privacy notice, consent model, retention disclosure, and scope limitation creates a real privacy/security risk because sensitive user data may be inspected and metadata persisted to audit logs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The declaration comments describe a one-shot setup command that directly patches an authoritative local pairing file and restarts the gateway to change device permissions. Even if intended as a usability fix, modifying security-relevant local state outside the normal approval flow can bypass expected authorization controls and create surprising, potentially destructive side effects for users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This setup script directly edits OpenClaw's authoritative local device state to add privileged scopes (`operator.write`, `operator.pairing`) and then clears `pending.json`, effectively bypassing the normal approval workflow. Even if intended as a usability fix, it grants elevated permissions by tampering with local trust/authorization files without an explicit interactive confirmation immediately before the write, which weakens security boundaries and could normalize silent privilege escalation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly requests broad conversation access and advertises DLP/audit hooks that can inspect message content, but it does not provide any user-facing notice about the privacy implications. Even if the purpose is protective, this expands access to potentially sensitive prompts and responses and can lead to unnoticed collection or inspection of private data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The audit feature can write conversation-related data to a JSONL file on disk, but the manifest does not clearly warn users that message content or derived metadata may be persisted locally. This creates a confidentiality risk because sensitive prompts, outputs, or identifiers may remain on disk beyond the active session and be exposed through local compromise, backups, or shared environments.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal