ClawHub

IM Framework Team

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OpenClaw onboarding and reference package, with disclosed but sensitive setup steps users should handle carefully.

Install this only if you want an OpenClaw agent shaped by the IM framework and connected to services such as Anthropic and Telegram. Treat API keys, bot tokens, and passwords like secrets; prefer a secret manager or runtime injection, avoid pasting secrets into shared chats, review or replace the curl-to-bash nvm install step, and understand the auto-start gateway and persistent memory files before using the agent for private work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide says the wizard stores the Anthropic API key locally in ~/.openclaw/ and frames plaintext local storage as an acceptable option without clearly warning about the risks. API keys are sensitive credentials; if the host is compromised, backups are exposed, or filesystem permissions are weak, an attacker can recover the key and use the associated account.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Install Node.js (via nvm recommended)
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
nvm install 22
nvm use 22
Confidence
94% confidence
Finding
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Install Node.js (via nvm recommended)
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
nvm install 22
nvm use 22
Confidence
96% confidence
Finding
| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal