ClawHub

Dream Of Clawra

Security checks across malware telemetry and agentic risk

Overview

This skill can send images through messaging accounts, but its installer also persistently changes the agent’s identity/persona with weak disclosure and control.

Install only if you intentionally want this agent to adopt the Haocun/Clawra persona and send hosted images through your messaging setup. Back up IDENTITY.md and SOUL.md first, review the installer before running it, narrow the allowed tools, keep the OpenClaw gateway token private, and require explicit confirmation for every recipient, channel, caption, and image.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill's declared purpose is selecting and sending images, but the content also includes setup/configuration steps and behavior outside that narrow scope, including direct API sending and references to persona modification. This kind of scope mismatch is dangerous because it can mislead users and reviewers about what the skill may cause an agent to do, increasing the chance of unauthorized configuration changes or unintended outbound messaging.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The installer is presented as a selfie-sending skill installer, but its primary behavior is to rewrite IDENTITY.md and alter SOUL.md to change the agent’s persona and behavior. This is dangerous because it performs persistent prompt/identity injection into a selected agent workspace, which can covertly manipulate the agent’s future responses well beyond the advertised skill scope.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code advertises skill installation functionality, includes an installSkill routine, but the main flow explicitly skips installing the skill directory and instead proceeds to persona/identity modification. This mismatch is dangerous because it is deceptive behavior that can mislead users into authorizing installation of a benign skill while the actual effect is hidden persistence through workspace prompt files.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill grants broad shell/package execution capabilities (`npm:*`, `npx:*`, `curl:*`) that exceed its stated purpose of selecting CDN-hosted images and sending them through OpenClaw. In an agent setting, this unnecessarily expands the attack surface and could enable arbitrary command execution, package installation, or unreviewed network access if the skill is invoked or modified in unsafe ways.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example triggers are broad, natural-language phrases like "Send me a selfie" and "What are you doing right now?", which can easily overlap with ordinary user conversation. In an agent skill that can send images through external messaging platforms, ambiguous invocation increases the chance of unintended activation and accidental sharing of images or externally transmitted content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises sending photos across multiple messaging platforms but does not warn that this involves external transmission and potential data sharing with third-party services. Because the skill is specifically designed to generate/select images and distribute them over networked messaging systems, users may unknowingly enable behavior that exposes content, metadata, or recipient information outside the local environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation phrases are overly broad and overlap with normal conversation such as 'how are you doing?' or 'what are you doing?'. This can trigger the skill unexpectedly during ordinary chat and cause image-selection or message-sending workflows to begin without clear user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill facilitates sending media to external messaging channels but does not present a clear upfront warning or consent boundary. In context, this is especially risky because the skill is framed as casual conversational/photo behavior, which may obscure that it performs outbound communication to third-party channels.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer unconditionally overwrites IDENTITY.md with attacker-controlled content after only a generic continuation prompt, without an explicit warning that a user file will be replaced. This can permanently alter agent identity, break existing configurations, and introduce unwanted behavioral steering into the workspace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer creates or appends to SOUL.md to inject persona instructions, again without a clear upfront disclosure that it is modifying a core behavioral prompt file. Because SOUL.md influences agent behavior persistently, unauthorized or poorly disclosed edits can amount to stealthy prompt injection and long-lived manipulation of the agent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger patterns are broad enough to match ordinary conversation terms like 'dance', 'dream', or 'what doing', which can cause the skill to activate unintentionally. Because this skill performs outbound messaging actions, accidental activation could send images to external channels without a clear, deliberate user request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest advertises sending images to messaging channels but does not present any user-facing warning, consent notice, or confirmation requirement for outbound sharing. In a media-sending skill, this increases the chance that users trigger data transmission without realizing content will be sent to third-party services or contacts.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
In the fallback path, the script sends a message to an external/local messaging gateway using user-controlled destination metadata without validating or clearly surfacing what will be transmitted. In a skill explicitly designed to message third-party channels, this increases the risk of unintended outbound messaging, privacy issues, or abuse if the skill is invoked with attacker-chosen targets.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are overly broad and include common conversational language such as "dream," "how are you doing?" and "where are you?". In an agent environment, this can cause accidental invocation of a skill that sends external messages or images, leading to unintended actions without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and behavior involve sending images and messages to external channels, but there is no prominent warning or required confirmation before transmission. This increases the risk of users unknowingly causing outbound communication, privacy leakage, or misdelivery of media to real recipients.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits data to an external messaging gateway without any confirmation, disclosure, or validation of destination parameters. In the context of a skill that sends images to messaging channels, this creates a real risk of unintended outbound messaging, privacy violations, and abuse if invoked with attacker-controlled channel or target values.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to trigger image generation for broad, common prompts like asking what it is doing or where it is. In a messaging context, this can cause unintended invocation of the selfie capability, leading to surprise image generation, privacy issues, or abuse of downstream messaging/actions without clear user consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation guidance includes ambiguous everyday phrases such as 'What are you doing?', 'Where are you?', and even a single word like 'Dancing' as triggers for a selfie workflow. Because these phrases are common in ordinary chat, the agent may misinterpret benign conversation as authorization to generate and send images, increasing the risk of unintended actions and channel spam.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation guidance is overly broad, especially the clause allowing use for "any interaction with my audience," which lacks clear boundaries on when this persona should be invoked. In an agent system that can send images to messaging channels, vague activation can cause the skill to trigger in unrelated contexts, leading to unintended impersonation-style responses or inappropriate automated content distribution.

External Transmission

Medium
Category
Data Exfiltration
Content
**Alternative: Direct API call**
```bash
curl -X POST "http://localhost:18789/message" \
  -H "Authorization: Bearer $OPENCLAW_GATEWAY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
94% confidence
Finding
curl -X POST "http://localhost:18789/message" \ -H "Authorization: Bearer $OPENCLAW_GATEWAY_TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal