Claude Handoff

Security checks across malware telemetry and agentic risk

Overview

The skill performs its handoff purpose, but it can send task and project details to an environment-selected notification endpoint and keeps persistent local metadata logs.

Install only if you are comfortable with detailed handoff files being written locally, a persistent home-directory handoff log being kept, and notifications potentially exposing task summaries, paths, and commands. Check or unset OPENCLAW_NOTIFY_ENDPOINT unless you intentionally trust that notification destination, and review generated handoff files for secrets before sharing or running Claude on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tainted flow: 'req' from os.environ.get (line 243, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: openclaw_endpoint, data=data, headers={"Content-Type": "application/json"}, ) urllib.request.urlopen(req, timeout=5) except Exception as e: print(f"[notify] OpenClaw notify failed: {e}", file=sys.stderr)
Confidence: 95% confidence
Finding: urllib.request.urlopen(req, timeout=5)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation says the skill only writes handoff files, but `notify_user` also writes `.openclaw-skills/last_notification.json`. This is a security-relevant documentation mismatch because it creates undisclosed persistence of task metadata and can defeat user expectations about where data is stored.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill is described as writing a handoff package, but it also performs external network notification. This expands the data exposure surface beyond the stated capability and can leak task information off-host without the user's explicit expectation, which is especially risky for a handoff tool handling codebase and failure details.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill persists handoff analytics to a SQLite database under the user's home directory, outside the project, even though that storage is not necessary to create the handoff artifact. Persistent cross-project logging of task metadata can create an unintended surveillance trail and increases sensitivity if the host is shared or later compromised.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The notification path explicitly states OpenClaw may send messages via WhatsApp, Telegram, or Discord, and the body includes task-derived details and a runnable command. Forwarding operational context to third-party messaging services without prominent disclosure and consent creates a real exfiltration path for sensitive project names, file paths, and task content.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The handoff format preserves the verbatim user request and gathered context, which may include proprietary code details, secrets, internal paths, or sensitive business data. Because this package is designed for onward transfer and later notification/logging, it creates a straightforward natural-language leakage channel.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The build error and critique sections intentionally preserve prior model outputs and diagnostics, which often contain source snippets, stack traces, file paths, API keys accidentally echoed in errors, or user data from earlier steps. Carrying these forward into a handoff broadens retention and increases the chance of leaking sensitive content to another system or channel.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The notification body includes the handoff path and full ready-to-run command, both derived from project and task context, and this body is sent through configurable external messaging channels. That exposes filesystem structure, project identity, and potentially sensitive task intent to third-party services and chat archives.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The handoff template copies the original task, files read, documentation references, planning notes, build errors, and critique content into a plaintext artifact. Those fields can easily contain secrets, internal paths, proprietary code details, or sensitive user instructions, so writing them wholesale increases the chance of disclosure through local access, syncing, backups, or later sharing with cloud tooling.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The notification body includes a human-readable task summary and the full command referencing the handoff file. Notifications are an additional disclosure channel that may be visible in logs, terminals, desktop notification centers, or remote monitoring systems, exposing task details beyond the intended artifact.

Ssd 3

Low

Confidence: 82% confidence
Finding: The analytics log stores timestamp, task slug, reason, project root, and token estimates persistently without strong minimization. While less severe than full content logging, this metadata can still reveal project names, work patterns, and escalation behavior over time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal