ClawHub

OpenClaw Swarm Layer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw workflow orchestrator, but it starts a background service by default and can persist workflow data while also offering high-impact automation controls.

Install only if you want a background workflow-orchestration plugin, not just a passive skill. Review config before use: keep acp.enabled and autopilot.enabled off unless you intend automated agent execution, set enableService to false if you do not want the startup loop, avoid Obsidian sync for sensitive projects, and review .openclaw/swarm reports/logs because they can contain project names, task text, summaries, paths, and session metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code writes a detailed workflow report to local and optional Obsidian paths on disk without any visible consent, warning, or data-minimization step. Because the report includes task titles, run summaries, session summaries, runtime policy, and local file paths, it can persist sensitive operational or project information in locations the user may not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The subprocess inherits the full parent environment via env: process.env, which can expose secrets such as API keys, tokens, proxy settings, and credentials to the child process and any code it loads. In this adapter, the child executes a bridge script and loader path that may pull in additional code, so environment inheritance broadens the blast radius if that subprocess or its dependencies are compromised or influenced.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code dynamically resolves and imports an ACPX service module from multiple filesystem locations, including state-directory and config-derived install paths, then executes its startup logic. If an attacker can influence the config or writable plugin directories, they may cause arbitrary JavaScript to be loaded and run inside the bridge process, turning plugin discovery into code execution.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest enables the plugin on application startup via `onStartup: true`, causing orchestration features to initialize automatically without any documented gating, scoping, or user-confirmation control in this file. In a workflow orchestrator that can expose task-running and session-control tools, automatic activation increases attack surface and the chance of unintended execution or background behavior as soon as the host loads the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prominently advertises reporting and Obsidian sync, but the top-level description does not clearly warn that running it will write workflow reports, logs, and spec archives to local disk and may mirror them to an external knowledge base path. This can cause unintended persistence of sensitive prompts, task content, or project metadata, especially if users invoke the skill assuming it is purely advisory.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes autopilot, session reuse, review actions, retries, and control-plane operations in a way that encourages automated progression, but it does not clearly warn near those features that they can change workflow state without step-by-step operator confirmation. In practice, users may start autopilot or session commands expecting observation, while the system can dispatch tasks, alter task states, retry runs, and write associated reports.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
workflow: nextWorkflow,
        decisions,
        counts: {
            autoApproved: decisions.filter((decision) => decision.decision === "approve").length,
            retryQueued: decisions.filter((decision) => decision.decision === "reject" && decision.finalStatus === "ready").length,
            rejectedBlocked: decisions.filter((decision) => decision.decision === "reject" && decision.finalStatus === "blocked").length,
            escalated: decisions.filter((decision) => decision.decision === "escalate").length,
Confidence
89% confidence
Finding
autoApprove

VirusTotal

52/52 vendors flagged this plugin as clean.

View on VirusTotal