ClawHub

Openclaw Skill Gastown

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real multi-agent coding skill, but it gives agents broad automatic repo-changing authority and includes risky setup instructions that users should review first.

Install only if you intentionally want a multi-agent coding orchestrator that can run local AI coding sessions, create persistent work state, change repositories, and process merges. Review the setup commands first, avoid running the sudo Go replacement blindly, prefer pinned tool versions or verified downloads, and use this only in repositories where automated workers and merge-queue behavior are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage trigger is effectively 'just tell the agent what you need,' followed by a normal software-development example. That overlaps heavily with ordinary user requests and can cause the skill to activate in situations where the user did not explicitly intend to invoke multi-agent orchestration, leading to unintended execution of external tooling and repo-modifying workflows.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Linux installation instructions include privileged destructive commands that remove and replace /usr/local/go using sudo, but they are presented inline without an explicit safety warning or verification steps. In an agent-executed context, this is risky because users may follow or delegate these commands without understanding that they modify system-wide directories as root.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script appends to the user's ~/.bashrc to permanently alter PATH without prompting or obtaining consent. While this is likely intended to make the installed tools usable, silently modifying shell startup files creates persistence and can unexpectedly affect future shell sessions, especially if the path later contains untrusted binaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script downloads a Go tarball from the network and extracts it locally without any integrity verification such as checksum or signature validation. If the download source, connection, or local environment is compromised, a malicious archive could be installed and executed as part of the developer toolchain.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
88% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
88% confidence
Finding
sudo

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
87% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
87% confidence
Finding
rm -rf /usr/local/go && sudo tar -C /usr/

Chaining Abuse

High
Category
Tool Misuse
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
83% confidence
Finding
&& sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal