ClawHub

ClawLine Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ClawLine setup helper, though using it can install plugin code, change device pairing, and restart OpenClaw.

Install only if you trust the ClawLine project and the @openclawline/clawline-setup package. Before use, understand that it may install executable plugin code, store or replace a phone UUID pairing, disconnect an existing device, and restart the OpenClaw gateway.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly states that after receiving a UUID it will immediately write configuration and restart the gateway, but it provides no warning, confirmation step, or indication of service disruption. That makes it easy for a user to trigger a configuration change and restart with a single chat message, increasing the risk of accidental denial of service or unauthorized reconfiguration if the conversation is spoofed or misunderstood.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill says a new UUID can overwrite an existing pairing at any time, but it does not warn the user that this replaces the previously linked device. In a pairing workflow, silent replacement can sever an existing trusted connection and redirect linkage to a different device, especially if the user provides the wrong UUID or an attacker induces the change.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill offers a command to clear pairing information and disconnect ClawLine without warning that this will break the current device connection and may require re-pairing. While less severe than arbitrary re-binding, it still enables accidental service disruption through a natural-language command with insufficient friction.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are very broad installation commands with no scope constraints, confirmation requirements, or contextual exclusions. In an agent setting, generic prompts like 'install clawline-setup' can cause unintended activation and execution of package-install behavior, increasing the risk of unauthorized software installation or social-engineering abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal