ClawHub

Openclaw Listing Bot

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate creating and publishing other skills, which is high-impact and not clearly bounded by user approval or containment.

Install only if you intentionally want an agent to generate, publish, replace, and deprecate skills on your behalf. Use a staging directory, require manual review before publishing or deprecating anything, and verify where earnings or marketplace data is stored and sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly describes an autonomous loop that generates new SKILL.md files, tests them, and publishes them to external marketplaces without meaningful human approval gates. That gives it broad self-propagating content creation and deployment capability, which is dangerous because it can mass-produce unsafe, deceptive, policy-violating, or malicious skills at scale from a single prompt or compromised input source.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs writing generated skills into /home/workspace/Skills/, described as a location where Zo agents discover skills, and also mirrors content for zo.pub sync. Writing agent-consumable artifacts into shared discovery paths enables lateral propagation: other agents may load or trust generated skills, extending the blast radius beyond the original workspace.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The name 'listing bot' understates the actual capabilities, which include self-learning, generation, testing, publishing, replacement, and deprecation of skills. This capability mismatch increases operational risk because users may grant permissions or execute it under a narrower trust assumption than its documented behavior warrants.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow describes autonomous creation, testing, publication, and deprecation actions as routine behavior but provides no user-facing warning about irreversible external effects, content risk, or account/platform consequences. In practice, this can cause operators to trigger broad outbound actions without informed consent or understanding of reputational, legal, or security impact.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill logs earnings data and publishes to external services, yet it omits privacy, data handling, and network disclosure warnings. Even if the logged data seems business-oriented, it may include account identifiers, platform metadata, commercial performance, or other sensitive operational details that could be leaked, mishandled, or transmitted unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal