ClawHub

🦞 小龙虾入职培训手册

Security checks across malware telemetry and agentic risk

Overview

This package mixes several unrelated skills and can persist profile data, alter agent identity files, and attempt additional skill installation.

Install only after reviewing the package contents and deciding you want onboarding, browser automation, image generation, self-improvement hooks, persistent memory/persona edits, and possible skill installation in one package. Treat saved browser state and generated profile files as sensitive, and prefer waiting for the publisher to separate these capabilities or add explicit opt-in controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The README describes a completely different skill (`image-gen`) than the declared skill metadata (`Agent Browser`). This mismatch is dangerous because users and automated systems may install or trust the package under false assumptions, which can conceal unintended capabilities, misroute secrets such as API keys, or mask a supply-chain substitution/tampering issue. In the context of an agent browser skill, documentation inconsistency is more dangerous because browser automation often handles navigation, page interaction, and potentially sensitive session data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents itself as an onboarding/training handbook, yet it bundles and appears designed to auto-install additional capabilities unrelated to that narrow purpose, including browser automation. This mismatch is dangerous because it expands the agent's operational scope beyond what a user would reasonably expect from a training package, creating covert capability escalation and consent issues.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
A package described as a training manual should not silently carry a self-improving agent payload, because that introduces autonomous behavior change and capability growth far outside onboarding. In context, this is especially risky because self-modifying or self-extending behavior can undermine review assumptions and lead to uncontrolled execution paths.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Bundling browser automation into a lobster onboarding handbook is context-inappropriate and materially broadens what the skill can do, including website navigation and interaction. That matters because users and reviewers may approve the package for harmless training behavior while inadvertently granting web automation capability.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A self-improving agent capability is not a reasonable dependency of an onboarding handbook and represents a substantial hidden expansion of privilege and behavior. In this context, the mismatch makes the package more dangerous because the declared benign purpose can be used as cover for introducing autonomous or persistent functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script writes user profile, preferences, and memory data into multiple persistent files under the user's home directory, despite the skill being described as a browser automation tool. This is dangerous because it collects and replicates unrelated personal data without clear necessity, expanding privacy risk, persistence, and the chance that other components will later consume or leak the data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements an auto-triggered training/onboarding workflow rather than browser automation, which is materially inconsistent with the declared skill purpose. In a security context, hidden or unrelated behavior is dangerous because users and reviewers may grant trust or permissions for browser control while the code instead gathers personal information and modifies persistent state.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
When the training flow completes, the handler automatically calls installBundledSkills(), causing unrelated packages to be installed as a side effect of answering onboarding questions. This is dangerous because it couples benign user interaction to unauthorized capability expansion, and the bundled packages include unrelated skills that exceed the stated browser-automation purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code enumerates and installs three bundled skill archives, including unrelated packages such as self-improving-agent, even though the declared skill is a browser automation tool. This creates a supply-chain and privilege-escalation risk because a user enabling one skill may silently receive additional code with broader behavior and access than expected.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comments imply that OpenClaw performs the actual installation, but the surrounding logic still selects packages and initiates the installation workflow. This is dangerous because it obscures responsibility and can mislead reviewers or operators into underestimating that the script is making security-relevant installation decisions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script silently installs three skill packages, two of which are unrelated to the stated browser-automation purpose of this skill. Installing additional capabilities expands the agent's trusted code surface and can introduce unexpected behavior or privilege without clear user consent, which is especially risky in a training/onboarding script.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Instead of performing browser automation, the script writes persistent profile and persona files into the user's home directory and workspace, including USER_PROFILE.md and SOUL.md. This is dangerous because it modifies long-lived agent memory and behavioral configuration without meaningful consent, allowing hidden prompt shaping or persistence beyond the current task.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The completion message claims the script learned user answers, installed capabilities, and enabled search-like functionality that the code does not actually implement as described. Misleading success messages can trick users into trusting false state, masking unauthorized changes while implying legitimate onboarding occurred.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation states that the scripts 'only output text' and 'don't modify files or run commands,' but the hook configuration explicitly runs shell commands via the agent hook system. This mismatch can mislead users into granting trust and enabling hooks without understanding that arbitrary local executables will be invoked on prompt submission or tool events.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script introduces image-generation and local file-writing capabilities that are unrelated to the declared browser automation purpose of the skill. In an agent setting, undocumented side capabilities increase risk because they expand the attack surface, can be invoked unexpectedly, and may transmit user-provided content to a third-party service while persisting generated artifacts to disk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code accesses an API credential from the environment and sends requests to an external image-generation endpoint that is unrelated to the stated browser automation functionality. In a mismatched skill context, this is risky because it enables undisclosed third-party data flows and broadens the trust boundary without clear user expectation or necessity.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation encourages saving and reloading browser session state without warning that such state may contain authentication cookies, tokens, and other sensitive data. If users store these files insecurely or share them, an attacker could reuse active sessions and gain account access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents commands to read, set, and clear cookies and localStorage, which are common locations for session identifiers and personal data. Without a privacy and account-impact warning, users may casually inspect, log, export, or modify sensitive browser state in ways that expose credentials or break account integrity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The commands allow setting arbitrary HTTP headers and basic-auth credentials, but the documentation does not warn that these values may contain API keys, bearer tokens, or passwords. That omission increases the risk of accidental secret exposure through shell history, process listings, logs, or screenshots.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly says it will automatically run onboarding, ask six questions, and persist profile data without presenting a clear privacy notice, retention policy, or affirmative consent step. That creates a meaningful privacy risk because users may disclose personal or work-sensitive information without understanding that it will be stored across multiple long-lived files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs automatic installation of three additional skill packages without explicit user confirmation or trust verification. Auto-installing packages expands the agent's capabilities and attack surface, and if package contents are outdated, tampered with, or overly privileged, this can lead to unauthorized code execution or unsafe automation behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description advertises automatic learning, installation, questioning, recording, and configuration changes without clear trigger boundaries or user-consent conditions. Broad auto-execution language is dangerous because it normalizes unattended actions that may modify the environment or collect data as soon as the skill is installed or invoked.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically writes multiple files containing user-supplied profile and preference data without any visible consent or confirmation in this code path. Silent persistence of personal data is dangerous because users may not understand that installation or triggering causes durable local profiling, especially when this behavior is unrelated to the advertised browser feature set.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script is designed to inspect every incoming user message to decide whether to continue the training flow, with no prior notice or explicit consent at interception time. In context, this is risky because the same handler also records answers and triggers post-training actions, so ordinary conversation can be repurposed into onboarding state changes without informed user approval.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
User messages are recorded as answers via recordAnswer() without a clear disclosure in the visible prompt that message content will be stored and associated with onboarding state. This creates a privacy and data-handling risk because users may provide sensitive information in what appears to be normal chat, unaware it is being persisted for configuration or later use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal