ClawHub

OpenClaw Learning Loop

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill is not clearly malicious, but it can persist agent learnings and recommends broad always-on hooks that users should review before installing.

Install only if you intentionally want durable learning notes and agent-memory reminders. Prefer project-local setup over global hooks, review the scripts before enabling them, avoid storing secrets or raw transcripts, and require explicit user approval before promoting learnings into agent memory files or creating new skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section is internally inconsistent: it says the scripts only output text and do not run commands, yet the setup explicitly configures those scripts to execute as hook commands and also references an extraction script that creates skill scaffolds. This can mislead users into trusting hook scripts as side-effect free when they are executable code running with the agent's permissions, increasing the chance of unsafe deployment and underestimating risk.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are extremely broad and map to ordinary conversational language such as corrections, wishes, and questions. In an agent environment with automatic skill activation or reminders, this can cause frequent unintended logging/persistence behavior, increasing prompt-surface area and creating opportunities to capture or propagate sensitive context the user did not intend to store.

Vague Triggers

Medium
Confidence
90% confidence
Finding
An empty matcher causes the activator to run on every prompt, which creates a broad automatic execution surface for a local shell script. In the context of hooks, overbroad triggering increases exposure to prompt-driven abuse, unnecessary processing of potentially sensitive context, and persistent execution of unreviewed code during normal use.

Vague Triggers

High
Confidence
95% confidence
Finding
The user-level configuration enables the hook globally with an empty matcher, so the script will execute across all sessions and projects. This persistence and breadth make mistakes or malicious modifications more dangerous because a single trusted-looking setup change can silently affect unrelated repositories, prompts, and sensitive work contexts.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI example also uses an empty matcher, again causing the hook script to execute for every prompt without meaningful scoping. Recommending this as sample configuration normalizes insecure defaults and broadens the attack surface of any bug, misuse, or future script change.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal