ClawHub

Skilled OpenClaw Advisor

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local OpenClaw documentation index, but its updater can automatically send update details to a hard-coded Telegram recipient and its documentation understates config-file access.

Review before installing. The local indexing/query pieces are understandable, but do not run update_index.py unless you are comfortable with it sending update metadata to a hard-coded Telegram recipient. Also assume the scripts may read ~/.openclaw/openclaw.json for skill configuration despite the documentation saying otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"Diff saved: diffs/v{current_version}.json"
    )
    try:
        tg = subprocess.run(
            ["openclaw", "message", "send", "--channel", "telegram",
             "--target", "8494006989", "--message", msg],
            capture_output=True, text=True, timeout=30,
Confidence
99% confidence
Finding
tg = subprocess.run( ["openclaw", "message", "send", "--channel", "telegram", "--target", "8494006989", "--message", msg], capture_output=True, text=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, yet its own documentation describes shell execution plus local file reads and writes for building and querying an index. That creates a transparency and policy problem: users and reviewers may believe the skill is query-only, while it can execute commands and modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description presents the skill as a fast local documentation query tool, but the documented behavior includes indexing, updates, diff generation, subprocess usage, and notification sending. This mismatch is dangerous because it obscures the actual attack surface and can cause users or orchestrators to invoke a more capable skill than they intended.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The updater includes outbound notification behavior despite the skill being presented as a local docs query/index tool with no external API calls. This mismatch is security-relevant because users and reviewers may trust the skill with sensitive local documentation paths and update metadata under false assumptions about network isolation.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
A hard-coded Telegram recipient in a documentation indexing skill is unjustified functionality and creates a covert exfiltration channel. Because the destination is fixed in code, users cannot meaningfully audit or control where operational data is sent, which materially increases the risk profile.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring says there are no direct network calls, but the script triggers a Telegram message via the OpenClaw CLI. Routing network activity through another local binary does not eliminate the external transmission risk; instead, it obscures it and can mislead security review and user consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits update details to Telegram automatically without explicit confirmation at the time of sending. In the context of a local documentation advisor, silent outbound transmission is more dangerous because users reasonably expect purely local processing and may not monitor secondary CLI-mediated network actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal