ClawHub

TARDIS

Security checks across malware telemetry and agentic risk

Overview

The local time tracker appears legitimate, but its package also includes broad secret loading and a public background webhook tunnel that deserve Review before use.

Install only if you want the networked notification and webhook features, not just a local meter. For local-only use, do not run check-webhook-services.sh, avoid Cloudflare/ngrok tunnels, and avoid SendGrid email features. If you use webhooks, enable SendGrid signature verification, restrict who can edit meters.json and HEARTBEAT.md, review what data is sent to SendGrid and Discord/OpenClaw, and replace broad .env loading with a dedicated least-privilege config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises significant capabilities—environment access, file read/write, shell, and network use—without declaring permissions or prominently warning users. That makes consent and review harder, and in practice it can enable unexpected outbound communications, local persistence, and command execution under the guise of a simple timer utility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is a tamper-evident elapsed-time tracker, but the skill also includes email delivery, webhook reception, Discord notifications, event-log persistence, and service/tunnel orchestration. This mismatch is dangerous because users may trust and install a low-risk tracking tool while unknowingly granting a much broader operational and data-exfiltration surface.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages automatic email sending and webhook-based integrations but does not clearly warn that event metadata, recipient addresses, message contents, and interaction data may be sent to third parties such as SendGrid and Discord. Users may therefore expose sensitive personal or operational information without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The whitepaper explicitly recommends syncing `~/.openclaw/` to Dropbox, iCloud Drive, or Google Drive, which includes `meters.json` containing plaintext meter descriptions, dates, channels, and targets. Without a prominent warning about third-party storage exposure and sync propagation, users may unknowingly copy sensitive personal or operational data to cloud providers and any other devices linked to that account.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script reads all variables from /root/.env and injects a webhook-related secret into a restarted background service without any validation, minimization, or operator disclosure. In a security-sensitive automation context, this creates unnecessary secret exposure and can cause sensitive values to be inherited by child processes or mishandled through logs, process inspection, or downstream service behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically starts long-lived background processes and exposes a local webhook service through a Cloudflare tunnel with no confirmation or access control visible in this file. In this skill's context, that is more dangerous because it creates external network reachability for a local service, increasing the attack surface and enabling unintended inbound traffic if the webhook handler is weak or misconfigured.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete command irreversibly removes stored meter data immediately, with only a bypass for locked meters via --force and no confirmation prompt, dry-run, or recycle behavior. In a CLI that stores personal history and tamper-evidence metadata, accidental or scripted invocation can cause permanent loss of integrity records and user data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The witness file stores the paper code and full integrity hash on disk and is promoted as suitable for cloud sync, but the function itself does not meaningfully warn that these values are sensitive verification material. In this skill's context, these records underpin tamper evidence, so casually persisting them may expose private activity metadata and verification tokens to other local users, backups, or synced services.

Ssd 3

Medium
Confidence
95% confidence
Finding
Allowing milestone messages prefixed with `ACTION:` to be treated as agent instructions creates an instruction-injection path from user-controlled content into automation. If milestone text is imported, synced, or modified by another party, it could trigger unintended actions or data disclosure to external channels when the heartbeat processes it.

Session Persistence

Medium
Category
Rogue Agent
Content
# Check webhook server
if ! pgrep -f "sendgrid_webhook.py.*--port $WEBHOOK_PORT" > /dev/null; then
    cd /root/.openclaw/workspace/skills/hour-meter
    nohup python3 scripts/sendgrid_webhook.py --port $WEBHOOK_PORT --discord-webhook "$DISCORD_WEBHOOK" > /tmp/webhook-server.log 2>&1 &
    RESTARTED="webhook-server"
    RESTART_NEEDED=true
fi
Confidence
81% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
# Check cloudflared
if ! pgrep -f "cloudflared tunnel" > /dev/null; then
    nohup cloudflared tunnel --url http://localhost:$WEBHOOK_PORT > /tmp/cloudflared.log 2>&1 &
    sleep 5
    TUNNEL_URL=$(grep -o 'https://[^[:space:]]*trycloudflare.com' /tmp/cloudflared.log | head -1)
    if [ -n "$RESTARTED" ]; then
Confidence
90% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal