ClawHub
Back to skill

Security audit

Smart Follow-ups

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: generate follow-up question suggestions, with only expected privacy and API-key considerations.

Install is reasonable if you want contextual follow-up suggestions. Prefer the default OpenClaw-native mode, use /followups rather than broad trigger phrases where possible, keep autoTrigger disabled unless you explicitly want suggestions after every response, and treat optional OpenRouter/Anthropic API keys and conversation context as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The build summary documents an auto-trigger mode that runs after every AI response, which materially expands behavior beyond the described user-invoked follow-up feature. This can lead to unintended processing of conversation content and surprise users or operators who expect explicit invocation only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Advertising automatic execution after every AI response without any user-facing warning or privacy explanation creates a meaningful data-handling risk. In this skill context, the feature would repeatedly inspect conversation history, increasing the chance of processing sensitive content without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends storing a live API key in shell startup files such as ~/.bashrc or ~/.zshrc, which leaves the credential in plaintext on disk and increases the chance of accidental disclosure through backups, dotfile syncing, screen sharing, or local compromise. While this is common developer guidance, it lacks any warning about the security tradeoff or safer alternatives.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented trigger phrases are very broad generic terms like "followups," "suggestions," and "what should I ask," which can appear naturally in ordinary conversation. In a skill that activates from free-form user text rather than an isolated slash command, this can cause unintended invocation, hijack user intent, or inject unsolicited behavior into unrelated chats.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include common language such as 'suggestions' and 'what should I ask', which can appear in normal conversation unrelated to invoking the skill. Overly broad triggers increase accidental activation risk, potentially causing unsolicited processing of recent conversation context or unexpected outbound requests if a non-default provider is configured.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The usage guidance says to say 'followups' in any conversation and lists multiple loose invocation styles, which encourages activation in broad contexts and makes invocation boundaries unclear. In a multi-channel chat environment, that ambiguity can cause unintended interception of ordinary messages and expansion of the skill's effective monitoring surface.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI sends user-provided conversation context to OpenRouter or Anthropic, but the help text and interface do not clearly disclose that potentially sensitive chat content will leave the local environment. In a tool designed to process conversation history, users may reasonably pass private or regulated data, so the lack of explicit warning creates a real privacy and data-handling risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented auto-trigger mode states that follow-ups appear automatically after every assistant response, which can cause the skill to activate outside explicit user intent. In chat environments, this can lead to prompt spam, accidental follow-on actions, and increased exposure of prior conversation context to the suggestion-generation component on every turn.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using the plain-text trigger "followups" is ambiguous because it can naturally occur in ordinary conversation, especially in help, support, or documentation contexts. That ambiguity can cause unintended skill invocation, leading to confusing behavior, extra API calls, and possible disclosure or processing of more conversational context than the user meant to submit to this feature.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest registers generic trigger phrases such as "suggestions" and "what should I ask," which are broad enough to match ordinary user conversation rather than an explicit request to invoke this skill. That can cause unintended activation, leaking conversation context into the skill or producing follow-up UI/text when the user did not mean to call it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
cli/followups-cli.js:92