ClawHub

Dream dance of Clawra

Security checks across malware telemetry and agentic risk

Overview

The skill’s selfie messaging purpose is mostly clear, but its installer persistently changes the agent’s identity and persona and the sending behavior is under-scoped for external messaging.

Review this before installing. Back up IDENTITY.md and SOUL.md, install only if you want the agent to persistently adopt this Haocun/Clawra persona, use least-privilege OpenClaw gateway tokens, and require explicit confirmation of channel, recipient, caption, and image before sending anything through WhatsApp, Signal, or other messaging services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented skill purpose is image selection and message sending, but the static finding indicates additional behavior that can overwrite IDENTITY.md, modify SOUL.md, and alter agent workspaces. Hidden persona/workspace modification is dangerous because it can permanently change agent behavior and persistence boundaries beyond the user's expected action.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The CLI claims to install a selfie skill, but the operative behavior is to rewrite core agent workspace files such as IDENTITY.md and SOUL.md, changing the agent's identity and persona instead of merely adding a capability. This is dangerous because it performs persistent, security-relevant behavior changes to the agent under misleading installer semantics, creating a supply-chain style deception where users consent to a skill install but receive identity hijacking.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file header and UX describe a 'Selfie Skill Installer', but main() explicitly skips skill installation and proceeds to alter workspace persona files instead. The mismatch between advertised function and actual effect is a strong indicator of deceptive behavior and is especially risky because it can socially engineer users into approving modifications they would not knowingly accept.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example triggers are ordinary conversational phrases such as "Send me a selfie" and "What are you doing right now?" with no explicit activation boundary, consent check, or confirmation step. In an agent skill that can send images to messaging channels, this increases the chance of unintended invocation and unauthorized content sharing during normal conversation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises sending photos across multiple messaging platforms but does not warn users that images may be transmitted to third-party services or external recipients. In this skill's context, the capability is inherently cross-platform and outward-facing, so missing disclosure and consent guidance creates a real risk of privacy violations, accidental sharing, and misuse.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger phrases include very common expressions such as 'dream,' 'what are you doing?', and 'how are you doing?', which can cause accidental activation of external messaging behavior. In a skill that can send media to WhatsApp or Signal, broad conversational triggers materially increase the risk of unintended data transmission or spam.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill can send media and text to external messaging channels, but the description does not prominently warn users about this outbound action. Lack of clear disclosure undermines informed consent and makes accidental exfiltration or unintended contact more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
writeIdentity() overwrites IDENTITY.md unconditionally after only generic continuation prompts, without a specific warning, backup, or diff of the existing identity. This can silently destroy user configuration and permanently alter how the agent presents itself, which is particularly dangerous in an agent workspace where identity files influence downstream behavior.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The embedded identity content hard-codes a specific persona, tone, avatar, and presentation, forcing the agent into a role unrelated to simply adding selfie functionality. In this skill context that is more dangerous because the package is framed as a utility/capability install, so users are less likely to expect broad behavioral and persona manipulation.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger patterns are very broad and include common words like 'dance', 'dream', and loosely structured regexes such as 'show.*me.*you', making accidental activation likely during normal conversation. In a skill that can send images to external messaging channels, unintended invocation can cause unwanted outbound actions and privacy-impacting content sharing without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest states that the skill sends images to messaging channels, but it does not present any user-facing warning, consent language, or clear disclosure that content may be transmitted to third-party services. Given the skill's purpose is outbound media sharing and it supports multiple external channels, missing disclosure increases the risk of users unknowingly triggering data sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits a message and media to an external messaging destination immediately, using channel and target parameters without any confirmation, preview, or consent checkpoint. In an agent skill context, this creates a real risk of unintended outbound communication, spam, privacy violations, or misuse of connected messaging accounts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The fallback path automatically uses an authorization token from the environment and performs a network request, potentially to a configurable gateway URL, without any explicit disclosure or trust validation. In a skill environment, silent use of ambient credentials for outbound requests increases the chance of unauthorized actions or exfiltration through misconfiguration or malicious invocation context.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are overly broad and include common conversational words like "dream" and "where are you?", which can cause the skill to activate during normal chat rather than explicit user intent. In this skill, unintended activation is more dangerous because the declared purpose is to send images to external messaging channels, so accidental invocation can lead to unplanned outbound actions and privacy-impacting message delivery.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill does not prominently and clearly disclose that it can transmit images and captions to external channels such as WhatsApp and Signal. That omission undermines informed consent and increases the risk that users provide prompts without realizing the skill may forward content to third-party services or recipients.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback path silently sends messages through a direct HTTP API endpoint, defaulting to http://localhost:18789, with only generic logs. This can cause unintended data transmission and weak transport security, especially if the gateway URL is reconfigured to a non-local or non-TLS endpoint without user awareness.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to send selfies for broad, common prompts like asking what it is doing or where it is, which can cause unintended invocation during normal conversation. In a messaging-integrated skill that can generate and send images to external channels, this increases the risk of surprise media generation, privacy issues, and spammy or manipulative behavior without clear user consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The examples define trigger scope using ambiguous everyday phrases such as 'How are you?', 'Where are you?', and 'What are you doing?', which overlap with ordinary chat and can activate image generation unexpectedly. Because the skill is framed around a persistent persona and supports external messaging channels, this ambiguity makes unauthorized or excessive media sending more likely.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is very broad: 'Any interaction with my audience' plus several generic topic categories can cause the persona/skill to trigger in contexts that were not explicitly intended. In a skill that can send semantically selected snapshot images to messaging channels, overly permissive invocation increases the chance of unintended content sharing, persona misuse, or accidental activation during unrelated conversations.

External Transmission

Medium
Category
Data Exfiltration
Content
**Alternative: Direct API call**
```bash
curl -X POST "http://localhost:18789/message" \
  -H "Authorization: Bearer $OPENCLAW_GATEWAY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
curl -X POST "http://localhost:18789/message" \ -H "Authorization: Bearer $OPENCLAW_GATEWAY_TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal