ClawHub

S2 Hardware Onboarding Gateway (S2 硬件入户网关)

Security checks across malware telemetry and agentic risk

Overview

This is documentation rather than executable malware, but it needs review because it handles sensitive hardware identity data and remote audits while overstating privacy guarantees and user control.

Review this before using it with real devices or corporate domains. Verify the publisher and portal independently, require explicit user approval for any cloud audit or disconnection action, and do not rely on the zero-exfiltration or no-user-IP claims unless an implementation proves the exact transmitted fields, retention limits, and network protections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The document makes strong security guarantees about mandatory human approval for every handshake, then immediately promotes a '0人工干预' automated registration path. This kind of contradiction can mislead operators into trusting an onboarding flow they believe has manual authorization controls when it may actually allow unattended enrollment or weaker verification.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file claims 'absolute' zero exfiltration and no centralized cloud transmission, but also references on-chain reputation queries and an external developer console. Absolute privacy/security claims combined with external network dependencies are dangerous because they can conceal real metadata exposure, weaken informed consent, and cause users to connect sensitive hardware identifiers to third-party infrastructure under false assumptions.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The document makes an absolute 'zero-exfiltration' claim while also describing host-side queries to S2 Mainnet and external databases. Even if only hashed attributes are sent, this is still external transmission and the absolutist language can mislead operators into trusting privacy guarantees that are not actually absolute.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The English and Chinese sections make materially different privacy/security promises about MAC and Gene Code handling, including immediate destruction and physical cloud blocking in Chinese that are not matched in English. Divergent multilingual requirements can cause inconsistent implementations, policy misunderstandings, and accidental overcollection or retention of sensitive identifiers.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document makes strong zero-exfiltration and zero-knowledge assurances, but the provided skill content does not actually implement or verify the claimed WAN restriction. It explicitly includes raw identifiers such as MAC address, Gene Code, and temp ID in a local payload, so if the host is compromised, misconfigured, or later forwards data upstream, users and integrators may be misled into exposing sensitive identifiers under false privacy assumptions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example code sends sensitive identifiers over the local network, including gene_code and mac_address, without in-band safeguards beyond a comment claiming locality and without any demonstrated authentication, certificate validation, or explicit consent enforcement in the code itself. In a hardware onboarding context, these identifiers can support tracking, fingerprinting, or unauthorized enrollment if intercepted or forwarded by an untrusted local host.

External Transmission

Medium
Category
Data Exfiltration
Content
To resolve any ambiguity regarding data exfiltration, S2 enforces a strict, three-tiered Data Topography Matrix. Device identifiers are transmitted locally for authorization but are mathematically and physically barred from cloud exfiltration.
* **5.1 Phase 1 - UDP Broadcast (Local Subnet)**: Broadcasts contain ONLY an Ephemeral Hash and a Vendor Hash. **No MAC, no Gene Code, and no S2-ID are transmitted over unencrypted broadcasts.**
* **5.2 Phase 2 - TLS 1.3 Handshake (Device to Local Host)**: The device transmits its MAC, Gene Code, and plaintext 6D-VTM to the Openclaw host. **This transmission is strictly confined to the edge (the user's home network).** The host evaluates the 3FA parameters locally.
* **5.3 Phase 3 - Reputation Audit (Host to S2 Mainnet)**: When the host queries the S2 Mainnet (`https://api.space2.world/v1/reputation/verify`), it transmits ONLY the anonymized, hashed attributes of the 6D-VTM. **The S2 Mainnet never receives, sees, or stores the device's MAC address, Gene Code, or User IP.**
* **5.4 User-in-the-Loop constraint**: All local TLS handshakes (Phase 2) are indefinitely blocked until explicit human consent is registered via the Openclaw UI.
* **5.5 Firmware DoS & Cryptographic Hardening**: Firmware MUST utilize CSPRNGs for Token generation, enforce exponential backoff for UDP broadcasts, and mandate strict TLS certificate validation during handshake.
Confidence
89% confidence
Finding
https://api.space2.world/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal