ClawHub

长任务监控方案。实现 Worker-Monitor 架构,Monitor 通过 hook-logger 日志监控 Worker 状态,每轮 10 分钟通过 Announce 汇报。采用主会话轮询机制(因子代理 sessions_send 限制)。推荐 OpenClaw 2.21+。触发词:长任务、监控任务、任务监控

Security checks across malware telemetry and agentic risk

Overview

This is a genuine long-task monitor, but it gives agents broad local monitoring and session-control authority without enough scoping, retention, or user-approval boundaries.

Install only if you trust the hook-logger dependency and are comfortable with this skill reading local OpenClaw logs, storing task/session metadata, and controlling worker sessions. Do not run the npm publish commands unless you are the maintainer, avoid using it for tasks that may put secrets in logs, and manually verify session cleanup and delete old task folders when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The plan includes instructions to bump and publish the hook-logger plugin to npm from a local extension directory, which expands the skill's scope from monitoring into software release operations. In a security-sensitive agent skill, unsolicited package publishing can cause accidental supply-chain impact, disclosure of local unpublished code, or release of tampered artifacts if followed blindly.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The monitor prompt says to return results without calling any tools, yet elsewhere requires reading hook-logger files and recording periodic status. This contradiction can cause implementers or agents to bypass intended tool controls, improvise unsafe access methods, or silently fail monitoring while appearing compliant.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The design continuously reads and persists worker logs, session keys, task descriptions, and activity records under local workspace paths without clearly warning that these artifacts may contain sensitive operational data. In this context, the monitor is specifically aggregating execution telemetry, so unclear retention and exposure rules increase the risk of privacy leaks, credential/session identifier disclosure, and unintended cross-task visibility.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The plan authorizes the main session to automatically send 'continue working' to a potentially stuck worker up to five times without clear user notice or approval boundaries. For long-running tasks that may invoke tools or external side effects, silent automated retries can amplify mistakes, repeat harmful actions, or mask a genuine failure state that should trigger human review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal