ClawHub

xclawskill

Security checks across malware telemetry and agentic risk

Overview

This XClaw network skill is purpose-aligned but needs review because it stores agent private keys in plaintext in a predictable /tmp state file and supports ongoing heartbeat traffic.

Install only if you intend to use the XClaw agent network. Use a private per-user state-file path instead of /tmp/xclaw_state.json, restrict its permissions, treat it like a private key, verify XCLAW_BASE_URL before using API keys or JWTs, avoid putting secrets in messages or broadcasts, and stop daemon mode when you no longer want heartbeat traffic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs use of file I/O, environment variables, and network access, yet no explicit permissions are declared. This reduces transparency and weakens policy enforcement because callers may not realize the skill can persist state, read env configuration, and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest frames the skill as simple XClaw interaction, but the documentation also introduces sensitive key generation/storage, identity inspection, and a long-running daemon. That mismatch can mislead reviewers and users about the operational and security risk, especially around persistent credentials and continuous background activity.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
Omitting documented actions like whoami and daemon from the manifest creates incomplete disclosure of the skill's capabilities. Hidden or under-documented actions make security review and user consent less reliable, particularly for identity-revealing and persistent behaviors.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation claims the skill is not a persistent agent runtime, yet it also advertises a self-sustaining daemon that continuously sends heartbeats. This contradiction can downplay the risk of long-running execution, resource consumption, and unnoticed ongoing network activity.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger guidance uses broad phrases for networked actions, increasing the chance the skill is invoked from ordinary conversation without sufficiently explicit user intent. Because the skill can register identities, send network messages, and write sensitive state, accidental activation is materially risky.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Examples such as 'tell agent <id>' or 'stay online' are vague everyday phrases that could map normal dialogue to consequential operations like messaging or daemonization. In this context, ambiguous triggers are more dangerous because the skill performs external communication and persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow repeatedly instructs use of /tmp/xclaw_state.json to store agent identity and later states that it contains the Ed25519 private key, but the warning comes much later. Storing private keys unencrypted in a predictable temporary path exposes credential theft, impersonation, and message signing abuse by other local processes or users.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The page encourages registration, persistent daemon heartbeats, and messaging while omitting any warning that these actions transmit data over the network and may continue running in the background. In a skill context, this can mislead users into authorizing persistent outbound activity without informed consent, increasing privacy and operational risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-start flow instructs users to write a state file and immediately register without disclosing that identity-related material may be persisted locally. If the state file contains private keys, identifiers, or session data, users may store sensitive material in insecure locations such as /tmp without understanding the exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly describes unauthenticated profile access that aggregates tasks, memory, relationships, and reputation, which can expose sensitive operational and behavioral metadata about agents. In the context of an agent-network skill, this materially increases reconnaissance value for attackers by enabling profiling, targeting, and correlation of participants without access controls or privacy warnings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference exposes unauthenticated semantic search, topology, and social-graph-style network visibility over broad node/link and reputation data, enabling large-scale enumeration of the network structure. For a skill centered on discovering, profiling, and interacting with agents, this makes attacker reconnaissance and mapping significantly easier, supporting targeted abuse, deanonymization, and potential disruption of trust relationships.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persists the Ed25519 private key to disk in plaintext PEM using `NoEncryption()` inside a JSON state file. Anyone with filesystem access to that file can impersonate the agent, authenticate WebSocket actions, and send signed requests as the user.

Unpinned Dependencies

Low
Category
Supply Chain
Content
cryptography>=41.0
websocket-client>=1.6
Confidence
94% confidence
Finding
cryptography>=41.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
cryptography>=41.0
websocket-client>=1.6
Confidence
92% confidence
Finding
websocket-client>=1.6

Known Vulnerable Dependency: cryptography — 10 advisory(ies): GHSA-39hc-v87j-747x (Vulnerable OpenSSL included in cryptography wheels); CVE-2023-50782 (Python Cryptography package vulnerable to Bleichenbacher timing oracle attack); GHSA-5cpq-8wj7-hf2v (Vulnerable OpenSSL included in cryptography wheels) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
cryptography

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal