ClawHub

Agent Scout

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed setup guide for a research agent, but it gives that agent persistent Telegram, memory, web, and inter-agent capabilities without enough boundaries or privacy guidance.

Install only if you intentionally want a persistent research agent connected to Telegram and local OpenClaw memory. Use a dedicated low-sensitivity workspace, keep the bot token out of shell history and tracked files, restrict Telegram allowlists, review memory/search provider exposure, and add explicit approval rules before Scout can use browser automation, share memory-derived information, or message other agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill instructs operators to place a Telegram bot token directly into configuration without any handling guidance, which increases the chance of credential leakage via shell history, screenshots, config files, or repository commits. A leaked bot token would allow unauthorized control of the bot and access to inbound communications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill enables web search, web fetch, Telegram integration, memory search, and agent-to-agent messaging without any privacy or data-handling warning. This creates a real risk that user prompts, retrieved content, or stored memory may be transmitted to external providers or exposed across channels without informed consent or minimization.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal