ClawHub

Event-Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it watches configured events and can wake or message OpenClaw sessions, with disclosed operational risks users should configure carefully.

Install only if you want a background process that can automatically wake or message OpenClaw sessions from Redis or webhook events. Keep the safety preamble enabled for untrusted sources, use narrow filters and reply targets, disable session-store lookup if you do not want local session metadata read, protect logs, and pin redis/pyyaml before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises Python runtime dependencies and instructs users to run watcher scripts that read configuration, ingest webhook/Redis events, write logs/state, and execute as background processes, but it does not declare corresponding permissions. This creates a transparency and policy-bypass problem: an agent or reviewer may treat the skill as lower risk than it is, even though it clearly needs file, environment, and likely shell access to function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill scans local OpenClaw session-store files in the user's home directory and uses them to resolve session IDs for message routing. This creates a cross-session data exposure and confused-deputy risk: an event source or watcher configuration can cause the skill to discover and interact with unrelated agent sessions without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The watcher can instruct the downstream agent to read an arbitrary local prompt file referenced by watcher configuration via prompt_file or @file:/@prompt: syntax. Because watcher configuration can steer the agent toward local filesystem content, this enables local file disclosure or indirect prompt injection into the agent from attacker-controlled or overly broad file paths.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The watcher logs session identifiers, reply routing fields, and a preview of the generated message sent to the agent. Since messages are derived from untrusted event payloads and may contain secrets or sensitive business data, these logs can leak session metadata and message contents to anyone with filesystem or log access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The same sensitive logging pattern appears in the webhook path, recording session identifiers, routing metadata, and message previews for webhook-derived content. Because webhook payloads are often externally supplied, this increases the chance of logging attacker-controlled sensitive or toxic content and exposing it through operational logs.

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis
pyyaml
Confidence
97% confidence
Finding
redis

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis
pyyaml
Confidence
99% confidence
Finding
pyyaml

Known Vulnerable Dependency: redis — 4 advisory(ies): CVE-2023-28858 (redis-py Race Condition vulnerability); CVE-2023-28859 (redis-py Race Condition due to incomplete fix); CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connectio) +1 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
redis

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
pyyaml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal