ClawHub

OpenClaw Skill Publisher

Security checks across malware telemetry and agentic risk

Overview

This publishing guide is not malicious, but it can lead an agent to install tools and use account tokens to publish or expose files without enough safety checks.

Install only if you intentionally want an agent to help publish skills. Before running commands, verify the destination account, repository, visibility, slug, version, and exact files; scan for secrets or private material; use limited-scope tokens through a secure secret store or prompt rather than inline commands; and rotate or revoke tokens after publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill explicitly recommends using `cmd /c` to bypass PowerShell execution-policy restrictions. Even if framed as a practical workaround for package installation and publishing, this normalizes evasion of host safeguards and broadens the skill from publishing guidance into defensive-control bypass. In a skill that downloads tools and executes package managers, this increases the chance of unsafe command execution in user environments.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes token-based authentication flows and states that a Gitee token is already configured locally, which encourages operation on live credentials and sensitive accounts. This is dangerous because skills can be triggered in broad contexts, and embedding credential-oriented guidance without strict handling rules can lead to accidental token exposure, misuse, or unauthorized publishing actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad and includes generic phrases such as publishing, installation, and package management across multiple channels. Because the skill performs network downloads, authentication, and repository modification, loose activation criteria raise the risk of unintended invocation in contexts where the user did not clearly request these sensitive actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to place access tokens directly into CLI and API commands but does not prominently warn about leakage through shell history, logs, process listings, or copied transcripts. In a publishing skill that interacts with third-party services, this creates a realistic path to credential compromise and unauthorized account actions.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill directs users to download and install Node.js from the network and then install a global CLI, which modifies the local environment. While this is consistent with the publishing purpose, the absence of prominent safety notices, trust verification guidance, and user confirmation makes the workflow riskier than necessary, especially in sandbox or managed environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal