ClawHub

NANDA Chapter Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed NANDA chapter integration that stores a local signing identity and uses it for user-confirmed chapter actions.

Install only if you trust the NANDA chapters you join and your local OpenClaw environment. Protect the OpenClaw home directory because the signing key is unencrypted, review resolved chapter URLs before confirming mutating actions, and avoid submitting sensitive intents or profile details unless you are comfortable sharing them with the chapter operator.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill states it cannot execute shell/code, but elsewhere instructs the agent to run local Python helpers and even use `shell.exec` or `python.exec` if available. This contradiction can cause an agent or reviewer to underestimate the real execution surface, enabling local code execution paths and trust boundary violations that are not transparently disclosed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README states that a persistent did:key identity is generated locally and that hash-chained audit/state files are written, but it does not prominently warn users that durable local security-sensitive data will be created under their home directory. This can lead to uninformed consent, accidental exposure through backups or multi-user systems, and operational surprises if users do not realize the identity is long-lived and loss of the laptop means loss of identity.

Ssd 1

High
Confidence
99% confidence
Finding
The text explicitly explains that a client can send `origin=sovereign` to bypass the reduced-trust tier, which normalizes or encourages deliberate trust-control evasion. Even if framed as 'honest framing,' documenting a practical bypass in a skill intended to interact with the service creates a direct abuse path for privilege escalation and undermines server-side access controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal