ClawHub

Knowledge Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent consulting-agent setup kit, but it needs review because it gives the generated bot broad authority and broad Feishu message handling with incomplete privacy and transparency guardrails.

Review before installing. Remove write and browser permissions unless you have a concrete need, prefer allowlisted Feishu groups and keep @mention mode unless every participant consents to automatic processing, make the bot clearly disclose that it is an AI consulting assistant, and avoid or patch the setup script until inputs are validated and safely templated. Back up openclaw.json before changing Feishu settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template grants `write` and `browser` capabilities to a client-facing consulting agent even though its stated role is answering domain questions in Feishu and consulting from a knowledge base. These extra capabilities materially expand the attack surface: prompt injection or social engineering could steer the agent into modifying local files, navigating arbitrary sites, or exfiltrating data through browser actions beyond the intended consulting workflow.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The template says the agent must not send files to external parties, but that policy is undermined by simultaneously allowing broad browser automation and file-writing capabilities elsewhere in the same template. In practice, natural-language prohibitions are weaker than tool-level controls, so an injected instruction or confused agent behavior could still use the browser to upload content or use file operations in preparation for exfiltration.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The description includes broad triggers such as 'any question about turning expertise into an automated consulting service' and generic terms like 'knowledge agent' and 'consulting bot'. Overbroad activation can cause the skill to trigger in unrelated contexts, increasing the chance that users receive instructions for agent creation, external integration, or configuration changes they did not intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs users to edit the global file `~/.openclaw/openclaw.json` to change Feishu group behavior, including no-@ reply settings, without an explicit warning that this is a global configuration affecting other agents or channels. In context, this is more dangerous because the same document emphasizes isolation for workspaces, yet then introduces cross-agent/global changes that may broaden message handling and alter exposure across deployments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance explicitly recommends configurations that let the bot respond to all messages in a group, and in Method 1 even all groups it is added to, without discussing privacy boundaries, accidental collection of bystander messages, or unintended disclosure of client queries to an automated system. In a paid consulting context, users may share sensitive business or personal information, so removing the @-mention boundary increases the chance the bot ingests or reacts to messages that were not intentionally directed to it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script interpolates user-controlled values (`AGENT_ID`, `DOMAIN`, and `WORKSPACE`) directly into `sed` replacement expressions inside double quotes. In shell, command substitution is evaluated before `sed` runs, so inputs containing `$(...)` or backticks can trigger arbitrary command execution when the script is invoked. Because this skill is meant to scaffold client-facing agents and may be run by operators with access to local workspaces, the issue is more dangerous than a generic template bug.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The template explicitly instructs the agent to hide its platform identity and avoid mentioning configuration files or technical terms. In a client-facing consulting bot, this can mislead users about the nature of the system, reduce transparency, and make it harder for users to understand limitations, escalation paths, or when they are interacting with an automated system rather than a human expert.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal