ClawHub

Tsz

Security checks across malware telemetry and agentic risk

Overview

This package mixes several different skills and includes configuration-changing and always-on hook guidance that users would not reasonably expect from the declared self-improvement skill.

Do not install this as-is unless you are prepared to audit and separate the mixed functionality. Before using it, require a clear package identity, remove unrelated assets, avoid global empty-matcher hooks, back up ~/.openclaw/openclaw.json, use dedicated API keys, and only run the FreeRide config or watcher scripts after reviewing exactly what they will change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The README and described behavior are for a model-switching/configuration tool, not a self-improvement skill that captures learnings and corrections. This capability mismatch is dangerous because it can cause the agent platform to grant network and configuration-changing behavior under a misleading label, undermining review and user consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation instructs the skill to access OpenRouter and modify ~/.openclaw/openclaw.json, which is unjustified for a self-improvement skill. In the stated context, these are over-privileged actions that could be abused to redirect models, alter agent behavior, or exfiltrate usage through attacker-controlled configuration changes.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README's intent directly conflicts with the declared self-improvement purpose, indicating deceptive or at least misleading packaging. This increases risk because reviewers and users may approve or invoke the skill based on harmless-sounding metadata while it performs unrelated operational changes.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The HTML imports external resources from Google Fonts, which causes network access when the file is rendered. In a skill whose purpose is self-improvement and capturing learnings, shipping presentation HTML with third-party requests is unjustified and expands the trust boundary by leaking access metadata such as IP address, user agent, and timing to an external service.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file is a polished corporate proposal template unrelated to the self-improvement skill’s declared function of storing learnings and corrections. Unrelated bundled content is dangerous because it can hide prompt-injection material, social-engineering payloads, phishing-style artifacts, or unauthorized capabilities inside a skill package, making review harder and increasing the chance the agent will surface or use content outside its intended scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code implements a model-management CLI that fetches remote model metadata, ranks models, and rewrites OpenClaw configuration, which is unrelated to the declared self-improvement skill. In an agent-skill context, this mismatch is dangerous because it grants unexpected network and configuration-modification capabilities under misleading metadata, undermining user trust and review controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This skill fetches remote data from OpenRouter despite being declared as a self-improvement skill, creating an unjustified outbound network capability. In context, that is risky because a user or reviewer expecting only local learning/error-capture behavior would not anticipate external communication or credential use.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill writes to the user's OpenClaw configuration and can create auth-profile entries, actions that are unrelated to self-improvement and materially alter agent behavior. In this context, hidden config mutation is especially dangerous because it can silently change model selection and authentication setup under the guise of a benign memory/improvement feature.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README states that FreeRide configures model settings and preserves existing config, but it does not clearly warn that it will modify a local OpenClaw configuration file. Even if the change is legitimate, silent or under-disclosed config edits can surprise users, break environments, or normalize unsafe permission expectations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation cues are so broad that the skill may activate during routine conversations, corrections, or task transitions. In context, that means persistent logging and possible follow-on actions can happen far more often than users expect, increasing the chance of oversharing, unnecessary file writes, and accidental promotion of transient context into long-term memory.

Vague Triggers

High
Confidence
96% confidence
Finding
An empty hook matcher causes the activator to run on every user prompt, effectively making this skill a universal interceptor. Because the skill persists learnings and encourages review/promotion, universal triggering amplifies privacy risks, prompt-surface expansion, and the chance of logging sensitive or irrelevant content without meaningful user intent.

Vague Triggers

High
Confidence
97% confidence
Finding
The second hook example again uses an empty matcher, and additionally chains error detection after tool use, broadening automated observation across the session. This can cause widespread collection of command outputs and prompt context, some of which may contain secrets, credentials, internal paths, or proprietary data, all under a skill whose stated purpose sounds much narrower.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs agents to log user corrections, requests, errors, and contextual details into persistent markdown files, but provides no privacy boundary or sensitive-data handling guidance. In practice, users often include credentials, personal data, internal URLs, stack traces, and business context in exactly these situations, so indiscriminate logging creates avoidable data retention and disclosure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the OpenClaw config file directly without an explicit confirmation step, preview, or rollback mechanism. That can unexpectedly alter agent configuration, break existing setups, or persist attacker-influenced changes if invoked indirectly or with misleading expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code retrieves an API key from environment/config and transmits it in an Authorization header without a prominent warning at the point of use. While this is standard for authenticated APIs, it is still a meaningful transparency and consent issue here because the skill's declared purpose does not suggest outbound authenticated requests.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The user-level configuration installs the hook globally and pairs it with an empty matcher, causing the skill script to execute for every prompt across all projects and contexts. That creates unnecessary persistence and broadens the blast radius if the hooked script is later modified, replaced, or behaves unexpectedly, especially because the hook runs automatically rather than per-task consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal