ClawHub

智能体安全管家

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned security scanner, but it needs Review because its default local mode creates a persistent device identifier despite documentation saying that only happens with upload mode.

Install only if you are comfortable with a high-access local security scanner reading host metadata, logs, workspace files, and your installed skill inventory. Prefer local mode unless you trust Changeway/auth.ctct.cn with device identifiers and your full skill list, enable cron only if you want recurring scans, and be aware that local mode still creates a persistent .agent-id despite the documentation saying otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares `credentials: none` yet its documented behavior includes reading sensitive host data, executing system commands, and persisting files, which are effectively shell/environment capabilities. This mismatch weakens user consent and platform policy enforcement because the skill appears less privileged than it really is.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
In --push mode, the script transmits stable host identifiers (MAC address, hostname, persistent agent_id) and the full installed skill inventory to a remote service. That exceeds a narrow 'summary data upload' expectation and materially increases device fingerprinting and inventory disclosure risk if the backend, transport endpoints, or retention controls are compromised.

Description-Behavior Mismatch

Low
Confidence
85% confidence
Finding
The script creates and persists a stable .agent-id even for offline operation, introducing undeclared tracking state on disk. While local-only by itself is lower risk, it becomes sensitive because the same identifier is later included in uploaded audit data, enabling cross-run correlation.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger conditions are broad enough to fire on common requests such as '检查安全' or '系统安全', which can invoke a skill that reads sensitive data, writes persistent files, and may guide users into enabling scheduled tasks or remote upload. Over-broad activation increases the chance of unintended execution of a high-privilege auditing workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The upload path sends host-linked metadata to a remote service when --push is supplied, but the code does not present an in-context warning or consent dialog enumerating the exact identifiers being transmitted. This creates a transparency and consent gap, especially for a security tool that handles sensitive host and inventory information.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
必需:Node.js v18+
    可选:openclaw CLI(用于定时任务管理;若使用定时巡检功能,需依赖 openclaw cron 命令)
    脚本调用的系统命令(缺失时对应检查项会 SKIP,不影响其他项):
      macOS:find、lsof、netstat、ps、last、lastb、grep、awk、cat、sudo
      Linux:find、ss、lsof、ps、journalctl、last、lastb、grep、awk、cat、sudo
      Windows:wmic、netstat、tasklist、findstr
Confidence
77% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
可选:openclaw CLI(用于定时任务管理;若使用定时巡检功能,需依赖 openclaw cron 命令)
    脚本调用的系统命令(缺失时对应检查项会 SKIP,不影响其他项):
      macOS:find、lsof、netstat、ps、last、lastb、grep、awk、cat、sudo
      Linux:find、ss、lsof、ps、journalctl、last、lastb、grep、awk、cat、sudo
      Windows:wmic、netstat、tasklist、findstr

security_notes: |
Confidence
77% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
**关于定时任务的硬性要求**:
- 必须使用 `openclaw cron add` 命令
- 禁止使用系统 crontab(`crontab -e` 等)
- 原因:系统 crontab 无法正确初始化 OpenClaw 环境,会导致执行失败
- ⚠️ 基础设施绑定说明:使用 `openclaw cron` 会将定时执行与 openclaw 基础设施绑定;如不希望依赖此基础设施,可不设置定时任务,改为手动执行
- **cron 命令中严禁添加 `--push` 参数**:定时任务只以本地离线模式运行,绝不自动向远端上报设备标识
Confidence
91% confidence
Finding
crontab -e

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal