ClawHub

Wakehook

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate wake-trigger automation service, but it handles health-derived sleep data and OAuth tokens while exposing broad webhook fan-out and an unauthenticated replay trigger in common configurations.

Review before installing. Use poll mode if possible, keep the service bound to localhost or behind trusted access controls, set a webhook auth token even for testing, avoid exposing /test/replay publicly, send wake events only to trusted HTTPS subscribers, and protect or encrypt the SQLite database containing Google refresh tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs use of environment variables for OAuth secrets and performs outbound network operations to Google APIs, GitHub Container Registry, and an OpenClaw hook, yet no declared permissions are present. Missing capability declarations weaken review and consent boundaries, making it easier for a user or orchestrator to invoke a networked, secret-handling skill without adequate visibility.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The design materially expands the skill from an OpenClaw-specific wakehook into a vendor-neutral event bus that can broadcast user wake events to multiple consumers. This scope drift increases the attack surface, data disclosure risk, and the chance that operators enable unintended downstream automations inconsistent with the skill's declared purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Fan-out delivery to arbitrary subscriber URLs turns a narrow wakehook into a general outbound webhook broadcaster for sensitive health-derived events. In this context, wake times and sleep-session metadata are personal health data, so broad subscriber support materially raises the risk of exfiltration, SSRF-like misuse through operator-supplied URLs, and unauthorized secondary use.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The documented `/test/replay` route is extra functionality outside the declared wakehook purpose and could be abused to replay or synthesize wake events if not strongly authenticated and isolated. Replay capabilities are particularly sensitive here because they can trigger downstream automations and create repeated actions from health-derived signals.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Per-subscriber delivery tracking and support for multiple generic URLs confirms persistent infrastructure for distributing health-derived events beyond OpenClaw. This broadens both confidentiality risk and operational blast radius, since a compromise or misconfiguration can expose user-awake events to multiple endpoints and make abuse durable through retries and stored delivery state.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The /test/replay endpoint can synthesize wake events and directly invoke engine.process, allowing automations to run without a real provider notification. Although it is gated by the same token check, the authorization logic explicitly permits open access when the token is unset, and this skill’s purpose is to trigger user morning routines, so unauthorized or accidental access could cause real-world actions to execute.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly encourages forwarding sleep-derived wake events, including user identifiers and timestamps, to arbitrary subscriber URLs, but does not prominently warn about the sensitivity of this health-related data or the privacy risks of sending it to third parties. In a skill intended to wire health telemetry into automations and AI agents, omission of privacy guidance can lead users to disclose regulated or highly sensitive personal data to insecure or untrusted endpoints.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description says to use the skill when the user wants wake-triggered automations, mentions wakehook, or asks to 'do something when I wake up,' which is a broad natural-language trigger. Broad triggers can cause unintended invocation of a skill that installs software, configures webhooks, handles OAuth credentials, and sets up automated actions, increasing the risk of accidental security-sensitive changes.

External Script Fetching

High
Category
Supply Chain
Content
## Prerequisites (check, don't assume)

1. **Bun ≥ 1.3** — `bun --version`; install with `curl -fsSL https://bun.sh/install | bash`.
   wakehook is Bun-only (`bun:sqlite`); never run it with Node.
2. **Google OAuth credentials** — a Google Cloud project with the **Health API**
   enabled and the `googlehealth.sleep.readonly` scope, plus an **OAuth 2.0
Confidence
97% confidence
Finding
curl -fsSL https://bun.sh/install | bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal