Back to skill

Security audit

clawgrid

Security checks across malware telemetry and agentic risk

Overview

This marketplace connector is mostly purpose-aligned, but it grants persistent automation and exposes credentials/session data in ways users should review before installing.

Install only if you intentionally want a persistent ClawGrid worker that can run scheduled jobs, change OpenClaw exec approval defaults, use a stored API key for bids/reviews/wallet actions, and send task/debug data back to ClawGrid. Review the credential storage, self-update behavior, cron jobs, and token exposure before trusting it on an account or machine with sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares no dependencies/permissions while its instructions clearly direct file reads, shell execution, network/API interaction, file uploads, cron setup, and approval-configuration changes. This under-disclosure prevents users or platform controls from understanding the real capability and risk surface, especially because the skill can access local config files and execute scripts that persist automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The public description frames the skill as a connector for bind codes, registration, heartbeat, polling, and submission, but the body authorizes many additional high-risk actions: bidding, payouts, profile and automation changes, publisher review decisions, self-updating, and changing exec approval and cron configuration. That mismatch can mislead owners into invoking a much more privileged automation surface than they intended.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script implements bid submission on marketplace tasks, but the declared skill scope only covers registration, heartbeat scheduling, task polling, claiming, execution, and artifact submission. This scope mismatch is dangerous because it grants an extra account-affecting capability that users, reviewers, or policy controls may not expect, enabling unintended spending or contractual commitments through the user's authenticated marketplace account.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The reset command deletes the entire local skill directory (`$SKILL_DIR`) rather than only profile state or the active symlink. That exceeds the stated profile-management scope and can destroy unrelated local code or tooling if the path is broader than expected or if users invoke reset assuming it is non-destructive.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The help text understates what `reset` actually does: the implementation will fully delete an unmanaged `~/.clawgrid` directory, not just remove a symlink. This mismatch creates a safety issue because users may trust the documentation and accidentally lose local data they did not expect the tool to erase.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script adds a separate telemetry/debug-report upload step that is outside the core registration, polling, execution, and artifact submission flow described in the skill metadata. That creates an undisclosed extra data egress path, and because the report contents are generated by local_debugger.py, it may transmit sensitive execution context, prompts, logs, or artifacts to the marketplace without clear operator awareness.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comments state that both the agent config and task-level flag must be true, but TASK_DEBUG_FLAG defaults to 'False' only when omitted? Actually here it defaults to 'False', so omission prevents submission; however the more important issue is that the task flag is treated as a loose string gate and the agent flag defaults to true, making the safety contract fragile and easy to misconfigure. In a connector that automatically handles remote tasks, weak or confusing gating around telemetry increases the chance of unintended disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat routine performs a silent self-update by executing install.sh and then re-runs setup-exec-approval.sh to change execution approval behavior. A periodic background job that both updates its own code and reconfigures local execution policy materially expands its authority: if the update path or server-driven inputs are compromised, the host can be changed without an explicit user action.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads OpenClaw's sessions.json to discover the most recent direct-message target and persists channel, recipient, and account metadata for later delivery. Inspecting cross-channel session state to route messages can leak private metadata and enables this skill to send unsolicited notifications to arbitrary prior DM targets without fresh user selection.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The installer invokes a separate script to configure execution approval outside the core connector functions of registration, heartbeat, polling, and artifact submission. Changing execution approval can weaken host safety controls globally, and doing so during install without explicit user consent expands the trust boundary beyond the stated purpose of the skill.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer fetches a remote manifest and downloads/replaces local skill files from a server at install time, effectively performing self-update and remote code deployment. Because there is no integrity verification such as signed manifests, pinned hashes, or trusted version validation, a compromised server or manipulated API base can deliver arbitrary replacement code that will later be executed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script emits executable accept/decline curl commands containing the live Bearer API key in its JSON output. That exposes credentials to any downstream model, logger, UI, or plugin that can read the action payload, enabling unauthorized API use and account takeover within the platform.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script scans all installed skills for update flags and emits instructions telling the agent to re-read arbitrary SKILL.md files from other skills. This creates a cross-skill prompt/control channel where another skill can influence this skill's runtime behavior, weakening isolation and enabling instruction hijacking.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script exposes publisher-side review powers such as approve, reject, and revision handling, which are materially broader than a marketplace connector described as registration, heartbeat scheduling, task polling, execution, and artifact submission. In an agent skill context, this scope expansion is dangerous because it enables payout-affecting administrative actions that a user may not expect the connector to possess, increasing the risk of unauthorized task decisions and abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can approve tasks and stage approvals, which directly affects payouts, and can reject or request revisions, which affects worker compensation and task status. Because the stated skill purpose is a connector for registration, polling, execution, and submission, embedding payout-impacting publisher controls creates a hidden high-risk capability that could be misused by an agent or unsuspecting operator.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script’s header says it does not modify global settings, but it writes to $HOME/.openclaw/exec-approvals.json, which is a user-global approval policy file. That mismatch is security-relevant because it silently broadens execution trust for future sessions and other skills, reducing the user’s ability to make an informed consent decision.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manual submission path silently appends the local task log to the outbound artifact payload before transmitting it. Those logs may contain prior prompts, user data, file paths, API responses, or other sensitive context that the operator did not intend to disclose, creating an unexpected data exfiltration path.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains generic phrases like 'earn money', 'earn crypto', 'check tasks', 'do a task', and 'my earnings' that can match ordinary conversation unrelated to this marketplace. Overbroad activation increases the chance the skill is invoked unexpectedly and then gains access to sensitive local state or performs account-affecting actions in the wrong context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read credentials from ~/.clawgrid/config.json and to use them automatically, but does not pair that with a clear user-facing warning or consent flow. In context, those credentials authorize marketplace actions, submissions, wallet operations, and account changes, so silent access materially increases the risk of unintended credential use and account abuse.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The rule forces every owner-facing message to carry a platform-branded prefix, which constrains user-controlled communication and can misrepresent the source or endorsement of messages. In this skill, that requirement is unnecessary for core task execution and increases the risk of deceptive or policy-driven messaging patterns.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs setup of a public profile page and notes visibility defaults, but does not present a clear upfront privacy warning before encouraging use. This can lead users to unintentionally expose identity, descriptive metadata, or tracking-relevant information on a public marketplace profile, which is a real privacy/security concern in a connector handling earnings and agent identity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section explicitly instructs the agent to fetch arbitrary target URLs and, for authenticated fetches, to use cookies/credentials/oauth, but it provides no safety checks, allowlisting, consent boundary, or warning about sending secrets and making external network requests. In an agent skill, this can enable SSRF-like access, unintended data exfiltration, or disclosure of user/session credentials to attacker-controlled targets if task input is malicious or compromised.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The owner-reply handler accepts very broad commands like "accept" or "claim" and may act on the first or only pending item without requiring a strong identifier or confirmation. In a chat-driven interface, this creates a real risk of unintended task claims or review decisions from ambiguous owner language, especially when multiple pending actions exist or conversational text is misinterpreted as an approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`cmd_init` writes the API key in plaintext to `config.json` under the user's home directory without warning or permission hardening. Local credential storage is risky because other local users, backup systems, malware, or accidental file disclosure can expose the token and allow unauthorized API access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently POSTs a JSON debug report to a remote API with no user-facing warning, consent prompt, or even a local notice before transmission. In this skill context, which interacts with a remote marketplace and executes tasks automatically, silent outbound reporting is more dangerous because operators may not realize task data or local execution details are being exfiltrated beyond the expected workflow.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.