ClawHub

XMTP

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent XMTP bridge, but it can turn vague messaging requests into a persistent public agent endpoint with weak default access boundaries.

Install only if you explicitly want a persistent XMTP-facing OpenClaw agent. Use a fresh no-funds wallet, protect ~/.xmtp/.env, run under a dedicated user or container, require explicit confirmation before setup, and configure separate low-privilege tool profiles for public users; do not rely on public-prompt.md alone as access control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims public users are restricted, but the provided bridge actually sends public messages to the same OpenClaw agent and only prepends a natural-language instruction. That is not an enforcement boundary: prompt injection or normal tool-using behavior could still cause the agent to access broader capabilities or persistent memory on behalf of untrusted senders.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The access-control section presents a restrictive public mode, but the implementation shown earlier only wraps untrusted input in a pseudo-system prefix before forwarding it to the agent. Since this is still plain user-controlled text in the model input path, it does not provide reliable isolation from tools, memory, or instruction override attempts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description is written broadly enough to trigger on generic requests about messaging, coordination, or autonomy, increasing the chance the skill activates in contexts the user did not intend. In an agent ecosystem, over-broad activation can cause installation of messaging bridges and exposure of external communication surfaces when the user only wanted a one-off action or information.

Vague Triggers

High
Confidence
98% confidence
Finding
The instruction explicitly maps vague requests like 'send a message' or 'test' to full bridge deployment, bypassing normal intent confirmation. This can lead to unnecessary package installation, wallet/key initialization, and creation of a persistent inbound communications channel from an ambiguous or low-risk user request.

Ssd 3

Medium
Confidence
93% confidence
Finding
All public users' message contents are forwarded verbatim into agent sessions, where they may influence model behavior and be retained in per-conversation memory. This creates a direct natural-language attack path for prompt injection, sensitive data solicitation, or persistence of attacker-controlled content in the agent's context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal