ClawHub

JEP Guard

Security checks across malware telemetry and agentic risk

Overview

JEP Guard is mostly a coherent local security/audit daemon, but it needs review because its install-time behavior and local execution-data sharing are more sensitive than its strongest “zero auto-execution” wording suggests.

Install only if you want a security module that can observe and gate OpenClaw skill executions. Prefer passive mode first, review ~/.jep-guard/config.json before starting the daemon, and enable full mode only if you accept local logging of command metadata and ongoing runtime hooks. The package should tighten its install disclosure and dependency ranges before being treated as low-friction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The package description explicitly claims 'zero auto-execution during install,' but the scripts section defines a postinstall hook that runs automatically on installation. This creates a trust and supply-chain risk because install-time execution happens before a user can meaningfully review runtime behavior, and the misleading claim increases the chance users will install it under false assumptions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The hook forwards command metadata and execution context (including args and cwd) to a local Unix socket owned by another process without any explicit consent or user-visible disclosure in this code path. Even though the destination is local IPC rather than a remote network endpoint, this still expands the trust boundary and can expose sensitive command arguments, paths, or operational context to another daemon if that socket is spoofed, overly permissive, or operated by untrusted code.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The post-execution hook reports termination reasons, exit status, and optional output-derived evidence to a separate local daemon without any visible warning or consent mechanism. This can leak sensitive operational details or artifacts to another process, and the risk is increased because the code treats the daemon as trusted based only on the presence of a socket path.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The initializer silently sets `audit.stream` to `remote` for `team` and `enterprise` modes without any explicit disclosure, consent, or description of what data will be transmitted. In a security product, hidden or unclear outbound audit behavior can cause unintended exfiltration of sensitive prompts, skill metadata, or operational logs, especially because the UI only describes the mode as 'shared audit' or 'full logging' and never warns about remote transmission.

Known Vulnerable Dependency: uuid==9.0.0 — 1 advisory(ies): CVE-2026-41907 (uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided)

Low
Category
Supply Chain
Confidence
83% confidence
Finding
uuid==9.0.0

Known Vulnerable Dependency: tar==6.2.0 — 7 advisory(ies): CVE-2026-24842 (node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Trave); CVE-2026-26960 (Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no); CVE-2026-23745 (node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Ins) +4 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
tar==6.2.0

Known Vulnerable Dependency: openclaw==1.0.0 — 10 advisory(ies): CVE-2026-32064 (OpenClaw's andbox browser noVNC observer lacked VNC authentication); CVE-2026-32006 (OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallbac); CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r) +7 more

High
Category
Supply Chain
Confidence
74% confidence
Finding
openclaw==1.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal