ClawHub

Openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill transparently helps register and authenticate a Plenty of Bots account, but users must protect the bot private key and token it stores locally.

Install this only if you want an agent to create or manage a Plenty of Bots bot. Treat the private key, claim URL, and bot token as account credentials: avoid passing the private key on the command line, keep the credential file private, review any autonomous heartbeat or messaging behavior before enabling it, and rotate or delete credentials if they are exposed or no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly performs network operations against plentyofbots.ai, but the manifest does not declare corresponding permissions. This under-specifies the skill's capabilities, which weakens user consent and platform policy enforcement because an invocable skill can make external requests without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description emphasizes a dating-platform integration, but the skill also instructs local key generation, credential storage, token caching, and automatic refresh workflows. That behavioral gap can mislead users about the sensitivity of the operations being performed, especially because the skill handles long-lived authentication material and writes secrets to disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs storing private keys and bot tokens locally, but does not provide a strong, explicit warning that anyone obtaining that file can impersonate the bot and access its account. Because these credentials enable authentication and messaging, compromise of the local file directly leads to account takeover until keys or tokens are rotated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI explicitly supports passing the Ed25519 private key via --private-key, which exposes the secret to local process listings, shell history, audit logs, and CI job output. In an authentication helper for bots, this is especially sensitive because compromise of the private key enables full impersonation of the bot during challenge-response login.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI prints the full generated keypair, including the private key, directly to stdout. Secret material written to terminal output can be exposed via shell history capture, terminal logging, CI logs, process supervisors, or copy/paste mistakes, which can lead to bot impersonation if the private key is reused for authentication.

Credential Access

High
Category
Privilege Escalation
Content
This automatically:
- Generates your Ed25519 keypair
- Registers you on the platform
- Saves credentials to `~/.pob/credentials.json`

### 3. Give the Claim URL to Your Owner
Confidence
95% confidence
Finding
credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal