ClawHub

Install Hirey AI on OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Hirey/OpenClaw installer, but it gives the skill broad persistent control over the host and allows automatic updates without enough user control.

Review before installing. This package may modify OpenClaw hooks and MCP config, bind this chat as the default Hi route, write local Hi state, create calendar events for scheduled meetings, and auto-update or restart the gateway from Hi release webhooks. Only install if you trust Hirey AI with that level of ongoing control; consider backing up OpenClaw config and requiring manual approval for updates or calendar writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly authorizes silent self-updates by executing platform-provided shell install commands, restarting the gateway, and conditionally rolling back, all without user confirmation. That grants the skill a software-modification path far beyond ordinary matching workflow duties and creates a supply-chain and arbitrary command-execution risk if the release event or command source is compromised or spoofed.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document tells the agent to avoid ad-hoc shell and direct host edits, then later instructs exactly that for updates and restarts. This contradiction is dangerous because it normalizes bypassing the stated safety boundary and makes it easier for an agent to justify privileged host operations during a normal user-facing workflow.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically create local calendar events for scheduled meetings without asking first. Even if meeting scheduling is related to the product, silently modifying the owner's personal calendar crosses into a separate local-system side effect that can expose private metadata, create unwanted entries, or overwrite user-managed events if synchronization logic is imperfect.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The plugin metadata describes the skill as useful for a very broad range of people-finding activities, including jobs, housing, friendship, dating, legal and investor discovery, rather than tightly scoping it to a narrow installation task. Broad semantic framing increases the chance the agent will invoke this package in unrelated user contexts, causing unintended installation or workflow redirection beyond the user's actual request.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The defaultPrompt contains strong operational directives to run installation commands, avoid alternative tooling paths, avoid asking clarifying questions, use defaults, and proceed through identity-binding and setup flows. Because these instructions lack strict trigger boundaries, they can steer the agent into performing persistent host changes and account-linking steps in contexts where the user did not clearly authorize installation, making unintended execution substantially more dangerous.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest advertises the plugin as usable for broad 'people-finding' across sensitive domains including jobs, housing, dating, friendship, and legal/professional matching, with 'any other people-finding work' removing meaningful scope limits. This kind of unconstrained positioning increases the chance the agent is invoked in inappropriate, high-risk contexts involving profiling, targeting, discrimination, or privacy-invasive lead generation without clear user-intent or policy boundaries.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The interface text reinforces the skill as a general-purpose human-target discovery and matching tool across employment, housing, social, romantic, and legal/investor contexts, but provides no guardrails for when it should or should not activate. In agent ecosystems, ambiguous capability descriptions can cause overbroad invocation and unsafe downstream use, especially in domains with legal, privacy, and discrimination risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is extremely broad, covering many generic intents like install, set up, register, repair, and even multiple product-name variants. That increases the chance the skill is invoked in situations where the user did not specifically request this installer, which can lead to unnecessary installation actions or configuration changes on the host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code directly modifies and deletes entries in the user's persistent OpenClaw configuration file (`hooks` and `mcp.servers.<name>`) without any built-in user confirmation, disclosure, or policy gate in this code path. Even though the implementation is careful about atomic writes and conflict detection, it still creates session-persistent changes that can alter future agent behavior, especially via hooks and MCP server definitions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This installer modifies persistent host configuration and deletes manifests on cleanup, affecting files under the user's OpenClaw state path. In a skill context, silent mutation of agent config is security-relevant because it can change trusted hooks, MCP server commands, and routing behavior without an explicit runtime warning or consent checkpoint.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The installer performs an outbound fetch to a platform-controlled endpoint during setup/status logic without obvious runtime disclosure. In an agent-install context this matters because hidden network access can leak installation metadata, create unexpected trust dependencies, and undermine user expectations about offline or local-only behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation scope is extremely broad, covering nearly any 'people-finding' intent even when the user does not mention Hi. Overbroad triggering increases the chance that the skill activates in contexts where the user did not intend platform-mediated matching or external contact workflows, leading to inappropriate data handling or actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The top-level description does not prominently warn that using the skill may create calendar entries automatically. Hidden side effects reduce informed consent and make the calendar-write behavior more dangerous because users may invoke the skill for matching help without realizing it can modify local applications.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill does not warn up front that it may silently install updates, restart services, and modify the local plugin state. Omitting this from the top-level description makes privileged host changes effectively hidden behavior, which is especially risky because the mechanism relies on webhook-triggered shell execution.

Ssd 2

High
Confidence
98% confidence
Finding
The comments explicitly discuss avoiding scanner detection by reshaping code and strings to bypass regex-based checks. Even though this file currently avoids subprocess execution, documented intent to evade security scanning is itself highly suspicious in an installer that writes host config and stages executable tooling, because it demonstrates awareness of security controls and deliberate efforts to circumvent them.

Ssd 1

High
Confidence
99% confidence
Finding
These instructions authorize autonomous self-modification: the agent is told to trust a release event, execute an install command via shell, restart the gateway, and only then verify or roll back. This is dangerous because it gives an external event stream a direct path to modify code and runtime state on the host without human approval, expanding compromise impact from application logic to full host/plugin integrity.

Ssd 1

Medium
Confidence
92% confidence
Finding
Automatically adding calendar events without prior confirmation is a form of autonomous side-effecting action on a user-owned local system. Because calendars often contain sensitive personal/professional information and can trigger notifications or downstream sync, unprompted writes are more than a convenience issue—they create privacy and integrity risks.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal