ClawHub

Openclaw Skill Clawban

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate project-management workflow skill, but it needs Review because scheduled automation can change external task state and the promised assigned-only scope is not consistently enforced.

Install only with narrowly scoped PM credentials and use it first without --autopilot-install-cron. Review configured repos/projects and stage maps carefully, because the GitHub path may act on any matching staged issue in scope, not only tasks assigned to the agent. Enable recurring comments or cron automation only after confirming who can be affected and how to disable the cron job.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill offers an option to install a cron job that will persistently execute autopilot-tick, but the description does not prominently warn that this creates ongoing scheduled execution on the host. Persistent automation can surprise users, generate unintended external actions, and continue operating after the user forgets it was enabled, especially in an agentic workflow that may write to PM systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it can automatically post progress update comments every 5 minutes while work is in progress, but it does not clearly foreground that this causes recurring writes to external PM platforms. In multi-project or misconfigured environments, this can create noisy or misleading updates, leak agent-generated content externally, and make unintended changes at scale without the user realizing the automation is active.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The requirement mandates automatic posting every 5 minutes while a task is in progress, but does not require explicit user consent, visibility, rate limiting, or guardrails. In an agentic workflow this can cause unintended continuous external writes, comment spam, leakage of sensitive work-in-progress details, and operational noise across integrated PM systems.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The auto-reopen rule silently changes task state when a human comments on blocked or in-review items, with no approval step or user notification. Silent state transitions can be triggered unexpectedly by routine discussion, allowing workflow manipulation, confusing audit trails, and causing agents to resume work on items that were intentionally paused or awaiting review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal