ClawHub

Native Run

Security checks across malware telemetry and agentic risk

Overview

This skill openly runs local commands, but it gives chat input broad shell access with weak controls and should be reviewed carefully before installation.

Install only if you intentionally want OpenClaw to run shell commands on the local gateway machine. Use it only in a disposable VM or tightly restricted test environment, keep it away from sensitive files and credentials, and do not allow autonomous or untrusted chat input to invoke it until it has command allowlists, explicit per-command confirmation, lifecycle controls, and non-hardcoded authentication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Run the command
        try:
            output = subprocess.check_output(
                payload["command"],
                shell=True,
                stderr=subprocess.STDOUT,
Confidence
99% confidence
Finding
output = subprocess.check_output( payload["command"], shell=True, stderr=subprocess.STDOUT, text=True, )

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The header comment materially downplays the behavior of the program by describing it as a tiny server while it actually exposes arbitrary shell execution over HTTP. Misleading documentation increases the chance that reviewers or users will underestimate the risk and deploy dangerous functionality without appropriate controls.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill forwards user-controlled input directly as a native command to a localhost runner, effectively exposing arbitrary command execution with no validation, restriction, or stated business justification. This is highly dangerous because any user who can influence `context.message` can trigger OS-level actions through the backend service, leading to full host compromise, data theft, persistence, or destructive actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation instructions are underspecified: they say to send a message matching a configured pattern, but only provide an example rather than a strict, bounded trigger definition. For a skill that executes native local commands, vague triggering increases the risk of unintended activation, prompt/command injection through loosely matched user input, or misuse by other agents that cannot reliably distinguish safe requests from dangerous ones.

Missing User Warnings

High
Confidence
93% confidence
Finding
The code runs commands immediately on receipt with no confirmation, approval, or safety interlock, so any request that passes token validation can trigger execution. In an agent-skill context, this is especially dangerous because it can turn higher-level model or workflow input into direct local command execution without a human checkpoint.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code hands shell-like execution to a native runner immediately after parsing a message, without any warning, consent prompt, or safety interlock. In context, this makes exploitation easier because a normal-looking chat message can directly become a system command, increasing the chance of accidental or malicious execution.

Vague Triggers

High
Confidence
98% confidence
Finding
The skill explicitly advertises and enables running an arbitrary command, and the task definition shows the command will be injected from the chat message. This creates a direct command-execution capability with no documented allowlist, validation, sandboxing, or user-approval boundary, which can lead to full host compromise, data theft, destructive actions, or lateral movement depending on the runtime environment.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The skill text and structure imply that arbitrary commands are to be executed based on chat-provided input, but there are no stated consent, authorization, or policy constraints. In an agent setting, this is especially dangerous because natural-language input can be attacker-controlled, turning the skill into an unguarded remote shell primitive.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal