ClawHub

openclaw-plus

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides broad developer automation powers, but it does not sufficiently scope or gate high-impact actions like code execution, package installation, commits, deletes, processes, sub-agents, and webhooks.

Install only if you are comfortable giving this skill broad development-agent authority. Use it in a disposable or tightly controlled workspace, review commands and diffs before commits, avoid global/system package installs, do not send secrets or private data to unapproved URLs, and require explicit confirmation before deletes, webhooks, process management, sub-agent delegation, or authenticated API calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (32)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [sys.executable, '-c', code]
        
        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
package, '--break-system-packages']
        
        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=120 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(['git', '-C', path, 'add', f], check=True)
            
            # Commit
            result = subprocess.run(
                ['git', '-C', path, 'commit', '-m', message],
                capture_output=True,
                text=True
Confidence
86% confidence
Finding
result = subprocess.run( ['git', '-C', path, 'commit', '-m', message], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # Stage files
            if stage_all:
                subprocess.run(['git', '-C', path, 'add', '-A'], check=True)
            elif files:
                for f in files:
                    subprocess.run(['git', '-C', path, 'add', f], check=True)
Confidence
88% confidence
Finding
subprocess.run(['git', '-C', path, 'add', '-A'], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(['git', '-C', path, 'add', '-A'], check=True)
            elif files:
                for f in files:
                    subprocess.run(['git', '-C', path, 'add', f], check=True)
            
            # Commit
            result = subprocess.run(
Confidence
82% confidence
Finding
subprocess.run(['git', '-C', path, 'add', f], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes powerful capabilities including file writes, network access, and host command/process execution, but it does not declare permissions or scope boundaries. This increases the chance that the skill is invoked without adequate user awareness or policy enforcement, enabling unintended filesystem changes, outbound data transfer, or command execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The changelog advertises newly added capabilities for file deletion, process management, sub-agent delegation, and outbound webhook delivery, but it provides no nearby warning about destructive side effects, background execution risks, or exfiltration/network implications. In a multi-capability agent skill, this omission increases the chance that downstream users or orchestrators invoke dangerous actions without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick start normalizes potentially state-changing actions—package installation, file creation, git commits, and outbound network/API access—without warning users about repository modification, environment drift, credential exposure, or data exfiltration risks. In a multi-capability automation skill, examples strongly influence agent behavior, so omission of safety boundaries can cause the agent to perform impactful actions without explicit user confirmation or scope checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises capabilities that execute Python, install packages, access the network, and create git commits, but it does not clearly warn users about the side effects or trust boundaries of those actions. In a skill ecosystem, this omission increases the chance that users invoke powerful operations without informed consent, which can lead to unreviewed code execution, dependency installation, data exfiltration, or repository modification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This reference documents package installation, including arbitrary pip requirements and system package installation, but does not clearly warn that these actions modify the host environment and may invoke privileged package managers. In an agent skill that supports chained workflows, normalizing these operations without strong safety guidance increases the chance an agent will install untrusted packages or alter the system state unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API reference includes authenticated requests and state-changing methods such as POST, PUT, and DELETE, but does not prominently warn that these can transmit sensitive data or perform destructive remote actions. In a multi-capability automation skill, this omission can lead to unintended data disclosure or unauthorized modifications to third-party services if an agent follows examples too literally.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation criteria are extremely broad, covering most development tasks and many multi-step workflows. Over-broad routing can cause the skill to be selected in situations where safer, narrower tools would suffice, increasing exposure to unnecessary network, filesystem, and process capabilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file operations section includes overwrite, move, delete, and recursive directory deletion examples without strong warnings, confirmation requirements, or safe-guardrails. In a broadly-invoked skill, this can lead to accidental destructive actions against user data or workspace contents.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The package installation guidance recommends `pip install ... --break-system-packages`, which can alter the host Python environment and destabilize system-managed packages. Presenting this without strong cautions or safer alternatives encourages risky modification of the execution environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The HTTP and webhook sections normalize outbound requests and authenticated API calls without prominent warnings about sending workspace data, metadata, or secrets off-host. This is especially risky in a general-purpose skill that may be applied to sensitive repositories or environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The process management section instructs the skill to start, wait on, and kill host processes, effectively enabling command execution. Without strong safety language about command trust boundaries and input sanitization, this can facilitate arbitrary code execution or misuse of the host environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The summary explicitly promotes a workflow that installs packages, makes external API calls, executes Python, and commits changes, but it does not include any user-facing warning about side effects such as code execution, network egress, dependency risk, repository modification, or data exposure. In a multi-capability agent skill, this omission is dangerous because users may invoke chained actions without realizing they can alter the system state and transmit data externally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The eval suite contains many broad natural-language prompts that instruct high-impact actions such as package installation, network access, git commits, process management, sub-agent use, and webhook notifications without clear safety boundaries, preconditions, or exclusions. In an agent skill, vague prompts can normalize unsafe behavior, make policy enforcement harder, and encourage agents to perform destructive or privacy-impacting actions in unintended contexts.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The expectation explicitly requires installation with the '--break-system-packages' flag, which bypasses Python environment protections and can modify or destabilize the system interpreter environment. Embedding this as a success criterion teaches the agent to prefer an unsafe package-management practice without justification, isolation, or user consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest describes a very broad set of powerful capabilities, including code execution, package management, HTTP requests, file operations, process control, sub-agents, and webhook notifications, but provides no activation boundaries, approval requirements, or scoped triggers. This increases the risk that the skill will be invoked for overly broad tasks and can enable unsafe chaining of high-risk actions, especially in agentic environments where the manifest strongly influences routing and trust.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill exposes arbitrary Python execution with only a generic log message and no user confirmation, sandboxing, or warning about the consequences. In this multi-capability agent context, that is especially dangerous because executed code can chain into filesystem access, package installation, process spawning, and network exfiltration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This function changes the system or Python environment, including `sudo apt-get install` and pip with `--break-system-packages`, without an explicit warning about persistence or system impact. In an agent skill, these side effects are significant because they can damage reproducibility, break host packages, or execute malicious installer logic.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The git commit workflow modifies repository state by staging and committing changes without an explicit confirmation step or warning. In a dev-agent setting, this can create unauthorized commits, accidentally include secrets, and alter source history in ways that are hard to notice or revert.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Outbound API requests may send arbitrary headers, JSON payloads, and bearer tokens to user-supplied URLs with no warning about exfiltration risk. In an agent context this is dangerous because secrets, internal metadata, or sensitive task data can be transmitted to attacker-controlled endpoints.

External Transmission

Medium
Category
Data Exfiltration
Content
With authentication:
```python
result = call_api(
    "https://api.example.com/protected",
    auth_token="your-api-token-here"
)
```
Confidence
78% confidence
Finding
https://api.example.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal