ClawHub

Preqstation

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for delegating coding work, but it can start background code-changing agents with approval and sandbox bypass flags, so users should review it carefully before installing.

Install only if you intentionally want OpenClaw to delegate code-changing work to local Claude, Codex, or Gemini CLIs. Use it only on trusted repositories, verify MEMORY.md project mappings, monitor and stop background sessions when needed, and inspect all worktree diffs before merging or pushing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill repeatedly claims execution will stay within a resolved local worktree, but the PR-review fallback clones an arbitrary repo into a temp directory and runs a coding agent there. That breaks the declared trust boundary and can cause the agent to operate on unvetted repositories or attacker-controlled content outside the mapped workspace model.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs spawned agents to invoke `openclaw system event`, giving delegated code agents a host-level side-effect capability unrelated to editing code. If the prompt or repository is adversarial, this widens the blast radius from code changes to system-level signaling or automation abuse on the host.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README instructs broad natural-language activation and explicitly prioritizes this skill when messages include generic trigger terms like 'preq' or 'preqstation'. Because this skill can create worktrees and launch background CLI sessions, overly permissive invocation rules increase the chance of unintended execution of code-capable agents in the wrong context or on ambiguous user requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that worktree-first execution is default and that commands should be launched with PTY and 'background:true' by default, but it does not prominently warn users that this creates new git worktrees and persistent background sessions. This can lead to surprising side effects, unnoticed long-running processes, repository changes in derived checkouts, and reduced user awareness of execution state.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger terms include very broad words like `preqstation` and especially `preq`, which may appear in ordinary conversation and cause unintended activation. Because this skill launches powerful local coding agents with dangerous approval-bypass flags, accidental invocation materially increases the chance of unexpected code execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill persists absolute local workspace paths into `MEMORY.md` without warning the user that sensitive filesystem locations will be stored. This can leak personal directory structures, project names, usernames, or internal mount points to later prompts, logs, or anyone with access to that file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal