ClawHub

Claw Rpg

Security checks across malware telemetry and agentic risk

Overview

This is a real RPG companion skill, but it needs review because it reads identity/memory files, changes replies and saved state, exposes a LAN dashboard, and can use local OpenClaw credentials for Telegram or cron automation.

Install only if you want an RPG system that reads assistant identity/memory files and keeps ongoing saved state. Avoid running the dashboard on shared networks unless you add access controls or bind it to localhost. Leave config.json/Telegram unset if you do not want outbound messages, and do not run setup-cron.mjs unless you want a persistent OpenClaw job. Treat report.mjs carefully because the documented --preview mode is not honored by the current implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The server enables global CORS and later listens on 0.0.0.0, making character data and live SSE updates reachable by other machines on the LAN and readable by any website a user visits. Because there is no authentication or origin restriction, an attacker on the same network or a malicious web page can exfiltrate the character.json contents without user approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The notification helper reads unrelated workspace profile/memory files solely to infer language, which exceeds the minimum data needed for its function. This creates unnecessary access to potentially sensitive user content and establishes a privacy-invasive pattern where auxiliary features inspect personal workspace data without explicit consent.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comment materially misrepresents the script's behavior by claiming it only emits a trigger line or __NO_TRIGGER__, while the implementation also updates persistent XP/conversation state on every run. In an agent-skill context, this is dangerous because callers may treat the script as side-effect-free and invoke it in preview, test, or read-only flows, causing hidden state mutation and making downstream behavior harder to audit.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script's primary role is to generate and emit a local greeting, but it also sends that greeting through an external notification channel via notify(). That creates an unexpected data flow outside the local conversation path and may leak character/profile data or user-facing content to a third-party sink without explicit consent, configuration clarity, or a clear security boundary.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads a gateway bearer token from the user's home-directory config and uses it to authenticate to a local API, even though the stated purpose is only to set up a cron reminder. Accessing ambient credentials without clear disclosure or explicit user input expands the script's privilege boundary and creates unnecessary risk if the script is modified, repurposed, or run in an unexpected environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes hidden mid-conversation flavor text as a surprise easter egg, which means agent outputs may be altered without user awareness. In an agent skill context, undisclosed output injection undermines transparency and can confuse users about which parts of a response are model-generated versus skill-appended behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Advertising the dashboard as LAN-accessible with live SSE updates encourages exposing character state over the network without any accompanying warning about access control, authentication, or sensitive data exposure. Even on a local network, other devices may connect and observe state changes if the service is bound broadly and left unsecured.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The integration instructions tell operators to run a script after every reply and append its output unless it matches a sentinel value, creating systematic hidden modification of user-facing responses. This is risky because it normalizes undisclosed post-processing of agent messages and could be repurposed to inject misleading, manipulative, or policy-violating content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description and 'Use when' guidance are broad enough that an agent could invoke it during ordinary conversations, causing automatic state changes, file reads, or side effects without clear user intent. Because the skill also includes reply-time hooks, cron setup, and hidden output behavior, overbroad triggering increases the chance of unexpected execution and privacy-impacting actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that the skill reads `SOUL.md` and `MEMORY.md` to generate a character sheet, but it does not define scope limits, consent requirements, or data minimization expectations. In an agent environment, those files may contain sensitive profile, memory, or behavioral data, so undocumented access can lead to unnecessary collection and secondary use of private information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The daily report feature sends RPG status information to Telegram but does not prominently warn that character data derived from local profile/memory files may be transmitted to an external service. Since the report includes level, stats, XP progress, and class information generated from user-related data, this creates a real exfiltration risk if enabled without informed consent and clear boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instruction to 'just do it, don't ask' explicitly discourages confirmation before taking potentially state-changing actions in a codebase. In an agent skill, this weakens safety checks against destructive, unauthorized, or misunderstood file operations and increases the chance of harmful execution from ambiguous prompts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code transmits user/event-derived content to Telegram through a local gateway, but the file contains no consent, disclosure, or approval mechanism before external delivery. Even if the gateway is localhost, the end result is outbound messaging to a third-party platform, which can leak user activity, names, progression data, and behavioral patterns.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
Language is automatically determined by inspecting workspace file contents instead of using an explicit user preference. While less severe than direct exfiltration, this still overrides user choice and relies on analysis of unrelated content, compounding the privacy issue and making system behavior less transparent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently modifies persistent character state by awarding XP and incrementing conversation count even when no visible trigger is produced. Hidden writes in an agent skill are risky because they create non-obvious state drift, can be abused by repeatedly invoking the script to farm progression, and violate the principle of least astonishment for tools that appear to be cosmetic output generators.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently reads a gateway auth token from local user configuration and sends it in an Authorization header, with no runtime disclosure or consent prompt. In a skill/setup context, hidden credential use is dangerous because users may execute the script assuming it is a harmless scheduler, while it is actually exercising authenticated access to a local control plane.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal