ClawHub

Skillminer

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it reads private memory files and its secret-scrubbing and cleanup safeguards are weaker than its documentation suggests.

Install only if you are comfortable with a tool reading recent OpenClaw memory files and writing derived local review/state/draft artifacts. Keep FORGE_RUNNER unset unless you explicitly accept Claude/Anthropic processing, review generated skills before promotion, and do not rely on the documented token redaction until the missing secret-patterns.tsv and output-scrubbing gaps are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The template hard-codes security assurances such as environment-based credential handling and no stored secrets, even though the writer is packaging candidate data and may not actually verify those claims against the underlying workflow. This can produce misleading SKILL.md files that overstate safety properties, causing reviewers or downstream agents to trust unsafe skills and miss real secret-handling or network risks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description advertises broad natural-language triggers such as "propose a skill" and "what skills should I have," which can plausibly occur in normal conversation and cause the skill to activate unintentionally. In this skill, unintended activation can lead to reading local memory files and writing review or draft artifacts, so the issue is not code execution but an unwanted expansion of access to sensitive local data and side effects.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains many ambiguous phrases in multiple languages, including conversational requests and management verbs like "annehmen als skill" and "what patterns have I been doing," without visible scope constraints. Because this skill can inspect `memory/` and write to `state/` and `skills/_pending/`, accidental or prompt-induced triggering increases the chance of unintended local data processing and draft creation, especially in mixed conversational contexts.

Chaining Abuse

High
Category
Tool Misuse
Content
# Remove any staging dir not scoped to this run's STAMP — mtime-based cleanup
# leaks crash dirs from within the last hour, which could shadow the new run.
if [[ -d "$CLAWD_DIR/skills/_pending/.staging" ]]; then
  find "$CLAWD_DIR/skills/_pending/.staging" -maxdepth 1 -mindepth 1 -type d ! -name "*-${STAMP}" 2>/dev/null | xargs -r rm -rf
fi

BACKUP_FILE="$(create_state_backup "$STATE_FILE" "$STAMP")"
Confidence
88% confidence
Finding
| xargs -r rm

Chaining Abuse

High
Category
Tool Misuse
Content
rollback_pending_staging() {
  # Remove any staging dirs left by this run
  find "$STAGING_BASE" -maxdepth 1 -type d -name "*-${STAMP}" 2>/dev/null | xargs -r rm -rf
}

rollback_state_and_write_log() {
Confidence
90% confidence
Finding
| xargs -r rm

Chaining Abuse

High
Category
Tool Misuse
Content
# rotate logs — keep last 30
find "$LOG_DIR" -name 'write-*.log' -type f -printf '%T@ %p\n' | \
  sort -n | head -n -30 | cut -d' ' -f2- | xargs -r rm -f

exit "$FINAL_EXIT"
Confidence
81% confidence
Finding
| xargs -r rm

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal