ClawHub

Clawdoctor

Security checks across malware telemetry and agentic risk

Overview

ClawDoctor is a coherent OpenClaw monitoring tool, but it needs Review because Telegram approval callbacks can trigger disruptive actions without verifying the Telegram user or chat that clicked them.

Install only if you are comfortable giving a local daemon authority over OpenClaw operations. Use dry-run first, keep Telegram bot tokens private, restrict who can see or press approval messages, and avoid enabling Heal auto-fix on production systems until the callback authorization gap is addressed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The rollback command ultimately executes a stored rollbackCommand from snapshots, creating a command-execution path whose safety depends entirely on snapshot integrity. If an attacker can tamper with snapshot storage or influence snapshot contents, they may achieve arbitrary command execution when an operator runs rollback, which is especially dangerous for a system-healing tool likely to run with elevated or trusted local privileges.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
The module executes a command loaded from persisted snapshot data, which turns snapshot files into an authority-bearing command source. The allowlist is only a startsWith check on a string prefix, so any actor who can create or modify a snapshot can cause execution of arbitrary subcommands or dangerous arguments under trusted binaries such as 'openclaw', making this an unsafe command-execution pathway.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description mentions Telegram alerts and self-healing behavior without clearly warning that operational data may be transmitted to a third party and that automated system changes may occur. In a monitoring/admin context, that omission can lead to unintended disclosure of service health details and unexpected restart actions on production systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Quick Start instructs users to start the daemon immediately, but the document elsewhere states the tool can auto-fix issues by restarting the gateway. Starting a daemon that may take remediation actions without a conspicuous warning or safe default increases the risk of accidental production impact, service interruption, or unsafe automated changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The task explicitly collects a Telegram bot token and chat ID and stores them in a local config file, but it does not require restrictive file permissions, secret redaction, or any warning to the user about sensitive credential handling. If the file is readable by other local users, accidentally logged, backed up insecurely, or committed, the bot token could be abused to send or read alerts depending on bot setup.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The task includes auto-restarting the gateway and optionally installing a systemd service, both of which modify local system behavior, but it does not require explicit consent language, dry-run preview, or clear disclosure at the point of action. In a monitoring tool, unexpected restarts or service installation can disrupt workloads, create persistence, or surprise the operator in ways that reduce trust and safety.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The task sends monitoring alerts to Telegram and includes host and event data, but it does not warn users that operational metadata will be transmitted to a third-party service. This can expose hostnames, failure states, auth-related events, cron names, and timing information outside the local system, which may be sensitive in production environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The callback handler performs destructive operations such as disabling crons, killing sessions, and terminating all sessions based solely on callbackData, with no explicit re-confirmation, no visible execution-time warning, and no verification that the callback originated from an authorized Telegram user. In this skill's context, Telegram callbacks are a remote control surface for production healing actions, so a spoofed, replayed, or misrouted callback could directly trigger operationally destructive changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The healer reads the last lines of a session log from a path supplied via context and persists that content into a snapshot. Session logs commonly contain prompts, secrets, tokens, commands, or user data, so copying them into another storage location increases exposure and retention without any sanitization, minimization, or explicit operator disclosure. In this monitoring/self-healing skill, that makes the issue more dangerous because snapshots are part of operational recovery flow and may be broadly accessible to administrators or automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal