ClawHub

Openclaw Pii Anonymizer

Security checks across malware telemetry and agentic risk

Overview

This is a manual PII-redaction helper that behaves mostly as described, but users should treat its output and Ollama endpoint as privacy-sensitive.

Install only for manual, reviewed workflows. Keep OLLAMA_URL on localhost or a trusted private Ollama instance, assume redaction may miss PII, and review output before sending it to external APIs. Do not rely on the unfinished automatic hook for protection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares external tool and shell usage (`bash`, `curl`, `jq`, `sed`) and provides shell execution examples, but no explicit permissions model is declared. In an agent ecosystem, undocumented execution capability increases the risk that the skill is invoked with broader authority than users expect, especially because it processes sensitive input and can make outbound requests to a local LLM service.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script sends the full raw input directly to the LLM service for anonymization, meaning sensitive data leaves the shell process before any deterministic redaction occurs. In a privacy tool whose purpose is to scrub PII before downstream AI processing, that defeats the trust boundary and can expose secrets to whatever service is bound to OLLAMA_URL, especially since the endpoint is configurable via environment variable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly recommends piping 'anonymized' user input to an external API while elsewhere acknowledging the tool is only partially working and has known regex/LLM edge cases. That creates a real privacy risk because users may overtrust the anonymization and send residual PII to third parties without any warning about imperfect detection, model misses, or failed interception.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits potentially sensitive text to an HTTP-served LLM endpoint for redaction, and the disclosure risk exists before anonymization is complete because the LLM pass is specifically invoked to detect names and contextual PII that regex did not remove. Using plain HTTP and an endpoint configurable via OLLAMA_URL increases the chance that sensitive data is exposed to another process, host, or a network listener without explicit user consent or strong trust boundaries.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-supplied content to an HTTP service without any explicit disclosure, confirmation, or visible privacy notice at runtime. For a PII anonymizer, hidden transmission is especially risky because users may reasonably assume processing is purely local and non-networked, leading to unintentional disclosure of highly sensitive data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal