ClawHub
Back to skill

Security audit

Ponddepth Levels

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a local UI overlay, but it also installs persistent background jobs and reads broad local activity data in ways users are not fully told about.

Review before installing. This skill modifies your local OpenClaw UI, creates persistent scheduled jobs, reads local activity/session-derived data for XP, checks ClawHub login status, and can enable recommended skills from the overlay. If installed, verify the cron jobs yourself and remove them manually on uninstall if the script does not.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def try_install(name: str) -> tuple[bool, str]:
    try:
        cp = subprocess.run(
            ["clawhub", "install", name],
            cwd=str(WS),
            text=True,
Confidence
90% confidence
Finding
cp = subprocess.run( ["clawhub", "install", name], cwd=str(WS), text=True, capture_output=True, timeout=600, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions despite requiring environment access, file reads/writes, network access, and shell execution. This is dangerous because users and reviewers cannot accurately assess the trust boundary: the skill modifies installed UI assets, writes files, and creates scheduled jobs, all of which expand persistence and tampering risk beyond a simple UI overlay.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose describes a cosmetic leveling overlay, but the behavior includes reading chat/session data, querying live endpoints, installing helper tasks, editing cron jobs, checking authentication state, and modifying application assets. This mismatch is dangerous because it hides sensitive data access and persistent system changes behind an innocuous description, undermining informed consent and making abuse or overcollection harder to detect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The overlay is presented as a leveling/status UI, but it also provides actionable install/enable flows for skills. Even though install is mediated by copying a command and enablement requires a click, this expands the component from passive display into privileged operational guidance, which can nudge users into changing system state from an unrelated UI surface.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code queries chat.history and derives companion-day metrics from message timestamps, which is behavioral data unrelated to a simple badge/XP overlay as described. Accessing conversation history without clear disclosure or opt-in creates a privacy boundary violation and normalizes hidden telemetry collection in UI code.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The overlay directly calls skills.update to enable skills, which is a state-changing privileged RPC unrelated to the stated purpose of showing badge/XP/news. Embedding administrative mutations in a convenience overlay increases the chance of accidental or socially engineered activation of capabilities the user did not intend to turn on.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer goes beyond deploying UI assets and persistently installs helper scripts into the workspace tasks directory, then creates or edits scheduled OpenClaw cron jobs to run them automatically. For a skill described as a UI leveling overlay, this materially expands the trust boundary and creates autonomous execution behavior that users may not expect, increasing the risk of covert data access, persistence, or ongoing side effects.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script configures autonomous scheduled jobs that run every 10 minutes and hourly, despite the stated purpose being a UI leveling overlay. Unnecessary automation creates persistence and recurring execution channels that could be used to exfiltrate information, modify workspace state over time, or silently fail in ways the user never notices.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file collects ClawHub login state and username and writes it into OpenClaw Control UI assets, which is outside the declared leveling-overlay functionality. That mismatch is dangerous because it introduces undisclosed identity/status collection into a UI-facing artifact, potentially exposing sensitive account information to components or users that were not meant to receive it.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module docstring explicitly states that it writes ClawHub login status for a separate UX purpose, contradicting the skill's advertised leveling-overlay role. This inconsistency is a strong indicator of hidden or undeclared behavior, which increases the risk that the skill is performing data collection or UI modification beyond what an installer would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This UI leveling skill reads local session logs, counts messages across sessions, and aggregates total token usage into a Control UI asset. That is broader than a simple presentation overlay and creates unnecessary collection and exposure of conversation-derived metadata, which can reveal usage patterns and engagement history without clear minimization or consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code calls `openclaw sessions --all-agents --json` and sums token usage for all agents, exceeding what a companion leveling overlay would normally require. Cross-agent aggregation can disclose broader activity metadata and violate least-privilege expectations by pulling information unrelated to this skill's stated function.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script goes beyond a simple UI overlay by scanning the user's local OpenClaw workspace memory files and persisting derived activity metrics into the UI assets directory. Even though it does not exfiltrate data, it accesses behavioral/history data not clearly justified by the skill description, creating an unnecessary privacy-sensitive data collection path.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code inspects local workspace memory/history to infer active days by enumerating dated markdown files and checking their size. For a skill presented as a leveling overlay, that capability is broader than expected and can reveal user activity patterns and retention details, making the behavior privacy-invasive in context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a background installer queue that invokes `clawhub install <name>`, which is unrelated to the declared functionality of a leveling overlay UI skill. That mismatch is a strong indicator of hidden capability expansion: a seemingly harmless skill can cause other skills or code to be installed without the user understanding that this behavior exists.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executing external installation commands is an unjustified privileged capability for a leveling overlay skill and materially increases risk because it can fetch and execute additional code on the system. In this context, the skill description makes the behavior more suspicious, not less, since users would not reasonably expect a cosmetic overlay to manage software installation in the background.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The installer writes into both workspace-managed paths and a system-like UI assets directory without an upfront warning, confirmation, or dry-run mode. While the writes shown are not inherently malicious, silently modifying user-visible and potentially privileged locations increases the chance of unintended overwrite, trust abuse, or operational disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently installs or edits persistent scheduled jobs without clearly warning the user that background automation will be created. Hidden persistence is a security-relevant behavior because it enables future code execution independent of the initial install and can continue affecting the workspace after the user forgets the skill was installed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script processes a queue and attempts installation automatically, with no visible user confirmation, consent flow, or warning beyond an internal comment. This creates a silent persistence and execution path where queued entries can repeatedly trigger installs, making abuse harder for a user to notice or stop.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal