ClawHub

Adversarial Review

Security checks across malware telemetry and agentic risk

Overview

This document-review skill mostly does what it says, but one copy helper can run shell commands from a destination path and should be reviewed before use.

Install only if you are comfortable with reviewed documents being copied into ~/.openclaw/workspace/reviews/ and sent to spawned reviewer model sessions. Before running scripts/cp-output.sh, remove the eval-based path expansion or avoid passing any destination value containing shell syntax such as command substitutions. Delete old review folders when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script uses `eval echo "$DESTINATION"` to expand the user-supplied destination path, which causes shell metacharacters and command substitutions in the argument to be executed. Because the script's purpose is only to copy a file, this introduces unnecessary command-execution capability from untrusted input, allowing an attacker to run arbitrary commands in the context of whoever invokes the script.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill instructs itself to activate on very broad phrases and even whenever a substantial document is produced, which can cause unsolicited execution in contexts the user did not clearly intend. In an agent system, ambiguous self-triggering expands the attack surface by enabling unexpected invocation, extra model calls, unintended document handling, and workflow interference.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill declares persistent storage of reviewed documents under a local workspace path without any explicit user warning or consent step. Storing potentially sensitive drafts, architecture docs, or security designs on disk can create confidentiality and retention risks, especially on shared machines or long-lived environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions explicitly tell the agent to copy user documents into a session directory and later export output, again without a clear warning or consent boundary. Copying files increases the number of sensitive replicas on disk and raises the chance of accidental disclosure, unauthorized access, or retention beyond the user's expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently evaluates the destination argument as shell code without any warning, so a user may reasonably believe they are passing a normal path when in fact command substitutions or other shell constructs will execute. This lack of disclosure increases exploitability because dangerous behavior is hidden behind a benign file-copy interface.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal