ClawHub

Agent Runtime Guard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local runtime security plugin, but it needs Review because it has broad agent hooks, persistent audit logging, and under-disclosed sensitive-data and setup-script risks.

Install only if you are comfortable giving this plugin broad control over OpenClaw runtime decisions and letting it inspect agent messages/tool inputs and write local audit logs. Review the audit path and retained fields, avoid running the prepare-speckit scripts unless you understand the Git and remote-code effects, and prefer a version that fixes the redaction/minimization mismatches and removes the execution-policy-bypass guidance.

Publisher note

injectint into openclaw runtime needs native host access

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module comment says identifiers are hashed and params/content are only summarized, but the implementation stores the full params object in resource.params_summary and includes detailed secret_findings derived from contentText. In an event-mapping pipeline, this mismatch can cause downstream systems to ingest and persist sensitive inputs under the false assumption they were minimized, increasing privacy and secret exposure risk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module-level comment promises that audit records are redacted before being written, but this function serializes and appends sensitive fields such as reason, subject, and secret-finding metadata directly with no visible sanitization step in this file. That mismatch is dangerous because operators may rely on the documented privacy guarantee and unknowingly persist sensitive data, creating a confidentiality and compliance risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function claims to redact secrets detected by SecretScanner, but the loop over scanner findings never modifies `result`; it effectively does nothing. As a result, secrets not matching the hard-coded regexes can still be written to audit logs, causing credential leakage through logs and downstream log storage or monitoring systems.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file-level documentation explicitly states that outputs never include secret plaintext, yet the exported findSecretText() function returns the full matched secret value. In a secret-scanning component, this creates a dangerous trust mismatch: downstream code or operators may assume the module is safe for logging or lower-trust handling, while another API in the same module can expose raw credentials for exfiltration, accidental logging, or insecure storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to run an installation script with `PowerShell -ExecutionPolicy Bypass`, which weakens a built-in safety control and normalizes executing local scripts without policy enforcement. In a plugin-install context, this is materially risky because users are being directed to trust and execute bundled code from an extracted archive, increasing the chance of accidental malicious or tampered script execution.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The README tells users to merge the plugin configuration into `%USERPROFILE%\.openclaw\openclaw.json` without warning about reviewing changes, backing up the existing file, or validating what the plugin configuration enables. In the context of an agent runtime security plugin, configuration changes may alter tool permissions, network behavior, or startup behavior, so undocumented config modification can lead to unexpected exposure or breakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script mutates repository state automatically by running `git init` when `.git` is absent and force-switching/resetting the current branch with `git checkout -B 001-agent-runtime-guard-openclaw` when on no branch, `main`, or `master`. In an agent skill context, this is dangerous because it can silently rewrite the user's working Git context, disrupt existing work, and create or reset a branch without explicit confirmation or a safety check for uncommitted changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script downloads and executes code directly from `git+https://github.com/github/spec-kit.git` via `uvx` or `pipx run` without pinning to a specific commit or version and without user approval. This creates a supply-chain execution risk: if the remote repository, dependency resolution, or transitively installed packages are compromised, arbitrary code may run in the user's environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently initializes a Git repository and force-switches/creates a branch with `git checkout -B`, which modifies the user's repository state without any warning, prompt, or dry-run mode. In an agent skill context, this is risky because users may run the script expecting setup only, but it can alter branch state and potentially disrupt existing work or automation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script executes code fetched directly from a remote GitHub repository via `uvx` or `pipx run --spec`, effectively trusting and running whatever content is currently served from that URL. This is dangerous because it introduces a supply-chain risk: repository compromise, malicious upstream changes, or man-in-the-middle/dependency issues could lead to arbitrary code execution on the user's machine.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal