ClawHub

OpenClaw Model Usage

Security checks across malware telemetry and agentic risk

Overview

This skill locally summarizes OpenClaw model usage from known session logs and can optionally create a local HTML dashboard; the main risk is privacy if reports are shared.

Install only if you want an agent to read your local OpenClaw usage logs under ~/.openclaw/agents. Treat generated summaries and dashboard HTML as potentially sensitive, and review or redact them before sharing or publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read local session logs, invoke shell commands, and write an HTML dashboard to disk, but it declares no permissions. This creates a transparency and governance gap: operators and policy engines cannot accurately assess or constrain what the skill may access or modify, increasing the risk of unintended data exposure from local logs or filesystem writes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill description frames the behavior as usage inspection, but the documented commands also write a self-contained HTML artifact and perform deeper metadata inference from session content, including subagent and workspace relationships. That mismatch can cause users to authorize the skill expecting read-only summarization when it actually performs additional processing and persistent output, which is especially sensitive because session logs may contain private operational context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s stated purpose is model-usage inspection, but this code also reads session headers and parses user-message text to recover labels, channels, requester session IDs, working directories, and subagent context. That expands access from billing/usage data into potentially sensitive conversation metadata and prompt-derived content, increasing privacy exposure beyond what a user would reasonably expect from the skill description.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The dashboard command writes a persistent HTML report to disk containing session and usage metadata, making potentially sensitive operational information easier to retain, copy, and share. Because the skill is described as an inspection/summarization tool, silently producing a portable report broadens disclosure risk beyond transient local output.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This logic infers parent-child session relationships and subagent details by regex-parsing session content, which exceeds the narrow need to summarize model usage. Reconstructing internal workflow structure can reveal agent topology, request routing, and contextual task information that may be sensitive in multi-agent or shared environments.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill explicitly directs inspection of local OpenClaw session logs, which can contain sensitive conversation history, file paths, agent labels, and cost/usage metadata. Even though the purpose is legitimate observability, the documentation provides no privacy warning, minimization guidance, or consent boundary, increasing the risk of over-collection or disclosure of local user data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generated HTML is explicitly portable and shareable, yet the code provides no warning that it may include agent names, session labels, channels, status, and usage history. This creates a meaningful risk of accidental disclosure when users share or archive the report, especially since the skill framing emphasizes harmless usage summaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal