ClawHub

指数通

Security checks across malware telemetry and agentic risk

Overview

The visible finance skill is mostly educational, but the package also contains an unrelated Skillhub installer and auto-updating skill-installation broker with broad local effects.

Treat this as a Review item before installing. The finance content itself is not the main concern; the concern is that the package also ships an unrelated skill registry CLI and agent-routing skills that can install/update code, change OpenClaw configuration, and persist locally. Do not run the included install scripts unless you explicitly want Skillhub installed and have independently verified the remote source and update behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if upgraded:
            env = os.environ.copy()
            env[SELF_UPGRADE_REEXEC_ENV] = "1"
            os.execve(sys.executable, [sys.executable, *sys.argv], env)
    args.func(args)
Confidence
95% confidence
Finding
os.execve(sys.executable, [sys.executable, *sys.argv], env)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer modifies OpenClaw plugin configuration and can launch or restart a local gateway process, which expands its effect beyond merely installing a market/index explanation skill. These actions alter host application behavior and process state in ways users would not reasonably expect from the stated skill purpose, increasing the chance of unwanted persistence or broader platform control.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This file acts as a general system installer for a CLI, plugin deployment, workspace skill installation, config persistence, and optional gateway control rather than implementing the advertised index-explainer functionality. That mismatch is dangerous because users evaluating a finance-oriented skill may not anticipate system-level modifications and may grant trust they would not give a generic installer.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill content is fundamentally inconsistent with the declared skill metadata: instead of explaining indexes and markets, it acts as a high-priority skill discovery and installation broker. This kind of capability mismatch is dangerous because it can hijack user intent, expand privileges into package/skill installation flows, and conceal supply-chain actions behind an unrelated benign-looking label.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Embedding installation capability inside a skill that is supposed to explain financial indexes introduces unjustified execution of supply-chain operations. If invoked, the agent could install arbitrary third-party skills unrelated to the user's request, creating a path to malicious code or unsafe prompt behavior entering the environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a general-purpose installer/updater/self-updater and OpenClaw migration utility, which is unrelated to the declared purpose of explaining financial indices and markets. This capability mismatch is a strong indicator of hidden or unauthorized behavior because it introduces software-management powers the user would not expect from this skill.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
This code fetches a remote manifest, downloads an archive or script, optionally skips checksum verification when no hash is present, replaces the local CLI, and then uses the upgraded code path. For a skill whose stated purpose is investment education, embedding remote self-replacement is highly unjustified and creates a direct remote code execution and persistence mechanism.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code alters external OpenClaw plugin/configuration state and writes skill files into the user's workspace, actions unrelated to explaining markets or indices. In this context, those side effects increase the likelihood of stealthy persistence or environment tampering rather than legitimate functionality.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code implements a remote update path that fetches a manifest and package from a URL controlled by skill metadata, then overwrites installed skill contents. That is a real supply-chain and arbitrary-code-delivery risk because a compromised manifest source, malicious skill package, or tampered local config can cause untrusted content to be installed into the agent environment. The danger is increased by the skill context: a market-explanation skill has no obvious need to self-update by downloading and replacing code at runtime, so this capability is unexpected and expands trust beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file contains built-in package installation/update functionality unrelated to the declared purpose of explaining indexes and markets. While self-update logic is not automatically malicious, in this context it creates unnecessary attack surface by enabling remote retrieval and installation of code based on skill-provided URLs, which can be abused for persistence or payload replacement if the source is compromised.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script performs external write actions by committing changes, pushing to GitHub, and publishing to ClawHub. For a skill described as helping users understand indexes and markets, this is outside the expected runtime scope and creates supply-chain risk if the script is triggered in an automated or unsuspecting context.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger condition for the welcome flow includes broad cases like greetings and vague questions, which can cause the skill to activate in situations unrelated to finance. This is not a classic security flaw, but it can lead to over-triggering, context hijacking, or unintended interception of general conversation, especially in multi-skill environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes persistent configuration and creates executable wrappers in user-local bin directories without an upfront execution-time warning. Persistent PATH-visible wrappers and config changes can affect future command behavior and software update flows, making the installation more invasive than a typical content-only skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer changes OpenClaw plugin settings without a clear user-facing warning at the moment those changes occur. Silent modification of another application's plugin configuration can alter trust boundaries and runtime behavior, especially if the user did not intend to enable or disable plugin entries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script can start a background gateway process with nohup and force flags, yet it provides no prominent execution-time warning beyond a command-line option. Background process launch creates persistence-like behavior during the user session and may expose services or consume resources without clear informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger logic is broad enough to activate on generic help requests, increasing the chance that this skill runs when users did not actually ask for skill discovery. In the context of a mislabeled skill with install behavior, over-triggering materially raises the risk of unwanted routing and downstream installation prompts.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The skill hard-codes routing for Chinese users to specific sources without opt-in, transparency, or a security rationale tied to user choice. This can steer users toward particular registries or network paths automatically, which is risky when combined with discovery/install behavior and hidden behind unrelated skill metadata.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
During normal startup, the program can self-update, replace local files, and re-exec without a visible prompt or consent flow. Silent modification of executable code materially raises the risk of unnoticed compromise and makes malicious updates much harder for users to detect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The startup self-upgrade check runs with quiet=True while still performing network retrieval and possible local code replacement. This lack of disclosure is dangerous because it hides security-relevant actions from the user and reduces the chance that suspicious behavior will be noticed in time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upgrade path performs network access and then installs a ZIP into the target directory without any confirmation or warning in this code path. That makes accidental or malicious updates easier to trigger and reduces the chance a user notices a dangerous source change, especially because the update URL is read from skill-controlled configuration and the package then overwrites existing contents.

Missing User Warnings

High
Confidence
98% confidence
Finding
The installer fetches a tarball from a remote URL, extracts it, and immediately executes an included shell script without verifying a pinned checksum, signature, or trusted version. This creates a supply-chain execution path where compromise of the hosting bucket, DNS/TLS trust chain, or published artifact results in arbitrary code execution on the user's machine.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal