ClawHub

Gstack OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only engineering workflow pack, but it under-scopes high-impact production, repository, credential, browser-session, and notification guidance that users should review before use.

Prefer installing through ClawHub, not the stale manual ./install.sh path. Treat this skill as advisory unless you explicitly authorize each code change, PR merge, deployment, rollback, browser login test, webhook notification, or telemetry example; use test accounts and scoped credentials, review generated commands before running them, and redact secrets or sensitive operational data before sharing with third-party services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The README explicitly claims the skill is 'documentation-only' and does not perform external actions, but elsewhere advertises capabilities like production deployment, rollback decisions, browser testing, GitHub checks, and outbound notifications. Even if this file itself contains no executable code, this mismatch can mislead users and reviewers into granting trust or permissions they would not otherwise allow, which is a security-relevant deception issue.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The top-level description presents the package as a thought/framework collection, but the documented scope includes operational DevOps actions, browser automation, GitHub integration, and notifications. This capability understatement increases the risk of users installing or invoking the skill under false assumptions about what it may do in an agent environment.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file makes an explicit safety claim that there is no executable code or installation script, yet later instructs users to run `./install.sh`. This kind of contradiction can mislead users and reviewers into lowering their guard around installation behavior, increasing the chance they execute a script they otherwise would inspect first.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The QA skill explicitly expands from advisory testing into generating fixes, applying them, validating locally, and submitting PRs. That materially increases operational scope from analysis to code modification, which is risky because a testing-oriented persona may be invoked in contexts where users expect read-only guidance, not repository-changing actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented ability to apply fixes and progress toward PR submission is not aligned with the declared QA/testing purpose, creating a privilege and expectation mismatch. In practice this can bypass normal review boundaries, letting a QA-scoped invocation alter code or repository state under the guise of testing assistance.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The skill documentation states downstream use that can update CI status and influence merge decisions, which exceeds a pure QA advisory role. Even if described as integration rather than direct execution, this normalizes a path from QA output to release-control decisions, increasing the chance of unsafe automation or confused-deputy behavior.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The manual installation instructions tell users to run `./install.sh` without any warning or verification guidance, despite the earlier statement that no such script exists. Even if the script is absent today, documenting execution of local shell scripts conditions users to run code from cloned repositories, which is a common initial access vector when documentation is misleading.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The RUM example sends collected Web Vitals metrics to an analytics endpoint without any notice about telemetry collection, consent, retention, or minimization. While the example does not obviously exfiltrate secrets, it normalizes silent client-side data transmission and could lead downstream users to deploy privacy-impacting monitoring without appropriate disclosure or controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly demonstrates entering credentials and reading a token from localStorage during browser testing, but it provides no warning about handling sensitive authentication data or the privacy/security implications of inspecting browser storage. In an agent context, this can normalize unsafe use on real accounts, lead to accidental collection of secrets in logs or reports, and expand exposure of session material beyond what is necessary for testing.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly promotes automatic rollback or continue-release decisions in production-facing canary workflows without a clear safety warning, approval gate, or limitation statement. In an agent context, this can normalize disruptive operational actions and increase the chance of unintended production changes or outages if users over-trust the automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This section describes '指标危险 → 自动回滚' as a default operational behavior without discussing safeguards, blast radius, or authorization. In production deployment tooling, automatic rollback is not inherently unsafe, but presenting it without caution in a reusable agent skill can lead to hazardous autonomous behavior and service instability.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The anomaly workflow example describes automatic rollback after a short delay as if it were a routine consequence, but does not warn about irreversible or disruptive production effects. In the context of an agent skill for deployment monitoring, examples strongly shape operator expectations and can encourage unsafe automation patterns.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The skill metadata and content are written entirely in Chinese and do not offer a language-selection mechanism or instruct the agent to respect the user's preferred language. This can cause the agent to respond in a language the user does not understand, leading to confusion, incorrect use of GitHub automation guidance, and degraded safety/usability, though it is not a direct code-execution risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly positions itself to merge PRs and deploy to production in one step, but it does not require an explicit confirmation or safety gate before performing irreversible production-impacting actions. In an agent setting, this increases the chance of accidental or prompt-induced changes to live systems, especially because merging and production deployment are bundled together as routine behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The rollback section normalizes automatic rollback of live production changes without a user-facing warning about service impact, state inconsistencies, or the need to verify database/schema compatibility. Automatic rollback can be safety-positive operationally, but in an agent skill it is still a destructive live action and should not be presented as unconditional or approval-free.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown presents automatic bug-fix application and a workflow leading to deployment/merge without warning about code changes, approvals, rollback, or review requirements. That is dangerous because users may treat the skill as safe documentation while it implicitly endorses autonomous repository modifications that can introduce defects or security regressions.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal