ClawHub

CLI Worker Skill (Kimi CLI)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it can route coding tasks to non-Kimi CLI providers despite Kimi-focused skill documentation.

Install only if you are comfortable with a local CLI worker that can run authenticated external coding CLIs, create and remove git worktrees, and pass task prompts and repository context to the selected provider. Check OPENCLAW_CLI_PROVIDER and openclaw.json before use so tasks do not go to Claude Code or OpenCode unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to run shell commands and rely on environment/config state, but the skill metadata shown in this file does not declare corresponding permissions. That creates a trust and enforcement gap: a user or platform may believe the skill is low-privilege while it can drive command execution, git operations, and local tooling with whatever authority the host agent already has.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill delegates to Kimi CLI in isolated worktrees, but the analyzed behavior includes broader capabilities such as alternate providers, reading configuration/environment variables, writing manifests/instruction files, status inspection, and destructive cleanup/removal actions. This mismatch is dangerous because operators may approve or invoke the skill under a narrower threat model than the actual behavior, enabling unexpected file writes, task orchestration, or deletion in the local development environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says delegation is for Kimi CLI agents, but this registry enables alternate backends (Claude and OpenCode). That creates a security-relevant capability mismatch: users or higher-level policy may believe only Kimi is used, while environment/config/CLI input can route tasks to different external CLIs with different trust, auth, data-handling, and execution characteristics.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module header explicitly advertises support for Claude Code and OpenCode, contradicting the skill description that frames the capability as Kimi-specific. In a security-sensitive agent skill, misleading documentation can cause operators and users to misjudge where prompts, code, and secrets may be sent, undermining trust boundaries and review assumptions.

VirusTotal

No VirusTotal findings

View on VirusTotal