ClawHub

Agent Deployment Checklist

Security checks across malware telemetry and agentic risk

Overview

This is a coherent deployment checklist, but it under-scopes sensitive credential and backup handling for production client agent systems.

Review before installing or using. Treat this as a human checklist, not an automatic installer. Use pinned and verified installers where possible, define one secret-management approach, restrict .env permissions and git exclusions, and narrow or encrypt backups so client memory, secrets, logs, and cron metadata are not copied into less-protected storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The checklist gives contradictory guidance by saying API keys should be stored in environment variables 'never in files' while also instructing creation of a .env file. In practice, .env is a file containing secrets, and this ambiguity can lead operators to persist client credentials on disk insecurely, increase accidental disclosure risk, and undermine the stated secret-handling policy.

External Transmission

Medium
Category
Data Exfiltration
Content
# macOS-specific
xcode-select --install 2>/dev/null || true
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew update && brew upgrade

# Runtime
Confidence
92% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" brew update && brew upgrade # Runtime brew install nvm python@3.11 git jq nvm install --lts nvm use --lts # OpenClaw w

Session Persistence

Medium
Category
Rogue Agent
Content
"$HOME/.openclaw/workspace/" "$BACKUP_DIR/workspace/"

# Back up cron definitions
crontab -l > "$BACKUP_DIR/crontab.bak"

# Keep last 30 days of backups
find /backups/openclaw -maxdepth 1 -type d -mtime +30 -exec rm -rf {} \;
Confidence
89% confidence
Finding
crontab -l

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal