ClawHub

Thoughtful

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for WhatsApp relationship summaries, but it handles very sensitive chat data with recurring automation, persistent local storage, LLM processing, and Telegram delivery that is not scoped clearly enough.

Review carefully before installing. Only use this if you are comfortable giving it read access to WhatsApp data, storing message-derived files and prompts locally, sending summary prompts to an LLM, and delivering summaries through Telegram. Change or remove the hard-coded Telegram destination, add explicit consent and retention controls, and replace the unscoped process-kill cron step before using it with real private conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a WhatsApp companion, but it instructs delivery of generated summaries through Telegram. This cross-channel data flow materially changes the privacy and threat model, because sensitive WhatsApp-derived relationship insights are copied into another messaging platform not clearly disclosed by the primary skill description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The cron payload instructs `pkill -9 wacli-readonly`, which is a destructive process-killing operation unrelated to relationship summarization. Force-killing processes can disrupt other sessions, corrupt state, or interfere with unrelated uses of the same tool, especially when run on a recurring schedule.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The sync cron sends status and results to Telegram even though the skill's stated purpose is WhatsApp analysis. This introduces an unnecessary exfiltration path and expands exposure of operational metadata and potentially message-derived content to another platform without clear justification.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The summary cron delivers message-derived summaries and relationship insights to Telegram, creating a second platform copy of sensitive interpersonal data. Because the summaries include inferred sentiment, commitments, and relationship patterns, cross-platform forwarding substantially increases privacy risk and potential harm from account compromise or unintended audience exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states the skill is designed to use OpenClaw's LLM capabilities and deliver summaries via Telegram, but it does not clearly warn that private WhatsApp-derived content may be transmitted beyond the local environment. Because this skill processes sensitive interpersonal communications, users may unknowingly expose personal or third-party data to an LLM service and another messaging platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends WhatsApp-derived prompts and relationship context to an external LLM for summary generation without a prominent warning in the main description. This is dangerous because private message contents, inferred sentiment, and interpersonal metadata may leave the local environment, creating confidentiality and compliance risks that users may not reasonably expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script exports recent WhatsApp messages and chat metadata into local JSON files under a persistent working directory without any explicit consent prompt, retention control, or warning to the user about sensitive relationship data being stored on disk. In the context of a relationship-focused assistant, these files may contain highly sensitive personal communications, so local compromise, backup sync, or accidental sharing could expose private data beyond the messaging platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script processes highly sensitive private chat content and writes derived CRM records plus a full LLM prompt containing direct messages, tasks, and relationship signals to disk without any in-file consent, minimization, retention, or access-control safeguards. Those artifacts can expose intimate communications and behavioral profiling to other local users, backups, logs, or downstream systems, especially because the prompt is persisted verbatim in context/last-prompt.txt.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal