Clawbuddy Litekit

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow dashboard launcher and status checker, with its credential use disclosed, though users must trust the hosted ClawBuddy/Lovable service before entering an OpenClaw API key.

Install only if you are comfortable using the hosted ClawBuddy dashboard and Lovable/Supabase edge functions with your OpenClaw environment. Treat OPENCLAW_API_KEY as sensitive, verify what access that key grants, and prefer a scoped or revocable key if OpenClaw supports one.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises shell commands (`bash scripts/open-dashboard.sh`, `bash scripts/status.sh`) but does not declare permissions, creating a mismatch between its documented behavior and its security model. This is dangerous because agents or reviewers may treat the skill as lower-risk than it is, while it still induces local command execution that could be abused if the referenced scripts perform unexpected actions.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal