ClawHub

12 Cool Skills for OpenClaw Agent

Security checks across malware telemetry and agentic risk

Overview

This package needs Review because its visible scanner skill is bundled with unrelated higher-risk tools such as sandbox code execution, financial/NFT workflows, and indefinite monitoring.

Install only if you intentionally want a broad experimental multi-skill bundle, not just a vulnerability scanner. Review or remove the sandbox script executor, automatic dependency-install guidance, indefinite watchdog monitoring, financial/NFT recommendation workflows, and logged-in browser workflows. Do not provide real API tokens, private documents, or logged-in service access unless you understand what the agent may read, run, or display.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises executable scripts with network and filesystem capabilities but does not declare any permissions, which weakens transparency and policy enforcement around what the skill can do. In an agent environment, undeclared capabilities increase the risk of unexpected network scanning or file access being executed without appropriate user understanding or sandbox restrictions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
A strong mismatch between the stated purpose and the broader code behavior is a serious supply-chain red flag because users may invoke the skill expecting simple website security checks while hidden or unrelated functionality executes instead. The specific presence of unrelated token analysis, monitoring loops, trading calculations, and placeholder scripts suggests the package may contain deceptive or repurposed code that could bypass review and perform unintended actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content is for an automated trading assistant, while the surrounding skill context claims it is a vulnerability scanner. This capability mismatch is dangerous because it can cause an agent or operator to invoke the skill under false assumptions, leading to unintended financial actions or bypass of security review processes due to mislabeled functionality.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill documentation describes a continuous financial/news monitoring watchdog, while the surrounding package context presents it as a website vulnerability scanner. This mismatch is dangerous because it can cause users or orchestration systems to invoke the skill under false assumptions, enabling unintended long-running data collection or off-scope behavior that was not consented to or reviewed for the claimed purpose.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file's declared purpose conflicts with the provided manifest context: instead of documenting a vulnerability scanner, it describes a code conversion skill. In an agent skill ecosystem, this kind of identity mismatch can mislead users, reviewers, or orchestration logic into loading or trusting the wrong capability, which is especially risky when the surrounding package claims security functionality.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is packaged under a vulnerability-scanning context, but the actual behavior is a general-purpose code execution capability. That mismatch can cause an agent to invoke an unrestricted script runner when the user intended a bounded website scan, greatly expanding the attack surface and enabling arbitrary code execution or tool misuse in the sandbox.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file documents a general sandbox script runner with Python, Bash, and Node.js execution plus dependency installation, which does not align with a website vulnerability scanner's stated scope. Scope mismatch is dangerous because it expands the skill from targeted scanning into arbitrary code execution workflows, increasing the chance of misuse, privilege abuse, or unauthorized system changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guidance explicitly enables executing arbitrary Python, Bash, and Node.js scripts and installing packages via pip, npm, pnpm, and even apt-get with sudo. For a website vulnerability scanner, this is unjustified capability expansion that can be exploited to run attacker-supplied code, fetch untrusted dependencies, alter the environment, and potentially escape intended operational boundaries.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file’s declared purpose materially diverges from the advertised skill metadata: instead of only scanning user-owned websites for common vulnerabilities, it expands into phishing analysis, scam detection, suspicious link/file analysis, and broad threat intelligence. This scope mismatch can bypass user and platform expectations, leading an agent to perform broader security-sensitive actions than authorized and increasing the risk of misuse or over-collection of potentially sensitive inputs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file provides broad instructions for executing arbitrary Python, Bash, and Node.js scripts and installing packages, which exceeds the stated purpose of a website vulnerability scanner. In an agent setting, such guidance can enable scope expansion from scanning a user-owned site to running general code and modifying the environment, increasing the risk of misuse or prompt-injected execution behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content is materially inconsistent with the declared skill purpose: it documents an `auto-watchdog` news-monitoring workflow and external news sources instead of a website vulnerability scanner. This kind of cross-skill mismatch is dangerous because it can hide undeclared behavior, confuse reviewers about the real capabilities of the package, and lead operators to grant trust or permissions based on incorrect documentation.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script's behavior is materially inconsistent with the declared skill purpose. Instead of scanning user-owned websites for vulnerabilities, it automates browsing to a hardcoded third-party domain (dexscreener.com) and performs token-related content scraping, which indicates hidden or undeclared functionality and can mislead operators about what the skill actually does. In a security tool, this mismatch is dangerous because users may grant trust, network access, or automation permissions under false assumptions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
A bot that executes scripts and returns results introduces a clear remote code execution surface, especially because the description is broad and lacks any constraints on language, environment, permissions, or allowed operations. In an agent setting, ambiguous activation combined with script execution can lead to abuse, lateral movement, data exfiltration, or resource misuse even if 'sandbox' is mentioned.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill explicitly proposes trying SQL injection, open-port probing, and DevTools-related checks on websites, which are offensive security actions that can affect third-party systems if misused. Although it says 'your own website,' there is no enforcement mechanism, safety gate, authorization check, or warning, so the skill context makes the ambiguity more dangerous by normalizing active vulnerability scanning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Describing a script-execution bot without prominent warnings about code-execution risk is dangerous because users may provide or trigger untrusted code under the assumption that it is safe. The surrounding skill list includes security-related and browser-automation concepts, which increases risk that execution could be paired with sensitive data access, scanning, or harmful automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly invites users to provide Authorization tokens and then demonstrates them in generated examples without any warning to avoid real secrets. In an agent setting, this increases the chance that users paste production credentials into prompts, logs, chat history, or generated code, creating unnecessary secret exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly allows fetching remote URLs and reading local PDF paths without any warning, consent confirmation, or trust-boundary guidance. In an agent setting, this can lead to unintended access to local files or retrieval of untrusted remote content, increasing the risk of sensitive data exposure and unsafe processing of attacker-controlled documents.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance says to simply invoke the skill and then choose a duration, but it does not define concrete trigger phrases, allowed targets, or scope boundaries. In an agent environment, vague activation semantics increase the chance of accidental execution, indefinite monitoring, or use against unintended sources, especially because the skill supports running 'forever'.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly frames its output around identifying 'promising' and 'potentially profitable' NFT collections and recommending 3-5 candidates for investment, but it provides no financial-risk disclaimer, suitability warning, or caution about market manipulation, illiquidity, and scams common in NFT markets. This can cause users to over-rely on the agent's output as investment advice, especially because the workflow presents recommendations in an authoritative, structured format.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger language is broad enough that an agent may select this skill whenever a user mentions running code, even if safer or more specific tooling should be used. In practice, overbroad routing to a code-execution skill increases the chance of executing untrusted input, installing packages, or performing unexpected actions in the sandbox.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to save and execute user-provided scripts and to install inferred or requested dependencies, but it does not warn about the risks of untrusted code execution or supply-chain exposure from package installation. In context, this makes the skill more dangerous because it normalizes arbitrary execution and dependency fetching without requiring trust boundaries, consent, or safety checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script issues a live HTTP request containing a classic SQL injection payload to any user-supplied target URL, with no authorization check, warning, allowlist, or rate limiting. In a security-testing skill this behavior is intentional, but it is still dangerous because it enables intrusive probing of arbitrary third-party systems and can be misused for unauthorized scanning or trigger defensive controls and service disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly tells users to modify predictable IDs and observe whether unauthorized resources become accessible, which is an authorization test that can cross into unauthorized access if performed on systems the user does not own or control. Although the skill metadata frames the tool as for user-owned websites, this file itself lacks an in-context warning about authorization, scope, and avoiding impact on third-party data, making misuse easier.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document advises users to reuse expired session tokens or manipulate them without warning that session tokens are sensitive credentials and that such testing must be performed only with explicit authorization. This can encourage unsafe handling of live authentication material and unauthorized account access attempts, especially if copied into real environments without proper safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell the agent to automatically install dependencies using pip, npm, pnpm, and even apt-get without requiring user notice, approval, or safety checks. This is dangerous because package installation changes the system state and may introduce untrusted code execution paths, especially if triggered automatically while handling external or adversarial inputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal