ClawHub

codeflow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real session-streaming tool, but it also weakens agent permission controls and can change OpenClaw plugin/gateway settings, so it needs review before installation.

Install only if you want a high-privilege relay/control workflow, not just a passive viewer. Use private Discord/Telegram targets, enable CODEFLOW_SAFE_MODE, set CODEFLOW_STREAM_LOG=redacted or off for sensitive work, review any enforcer install/restart/allowlist change before running it, and do not apply the global Claude bypassPermissions/allow-all setup on a machine that handles important repositories or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if session_key:
        env["OPENCLAW_SESSION_KEY"] = session_key
        env["OPENCLAW_SESSION"] = session_key
    return subprocess.run(
        ["/bin/bash", codeflow_bin(), *argv],
        capture_output=True,
        text=True,
Confidence
93% confidence
Finding
return subprocess.run( ["/bin/bash", codeflow_bin(), *argv], capture_output=True, text=True, env=env, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and instructs use of shell execution, file access, network delivery, and environment-dependent behavior, yet no explicit permissions are declared. That creates an authorization and review gap: operators may underestimate what the skill can do, and the host may grant broad capabilities implicitly without user-visible consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill primarily as a passive streaming/observability tool, but the documented behavior includes enforcement hooks, command blocking, plugin installation/update/uninstall, gateway restart orchestration, GitHub review actions, and parallel task execution. This mismatch can mislead users into authorizing a much more privileged control-plane tool than they intended, increasing the chance of unexpected system modification or external actions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The setup explicitly instructs users to configure Claude Code with `defaultMode: bypassPermissions` and `allow: ["*"]`, which removes interactive approval barriers for all future agent actions. In a coding-agent skill that can invoke tools and shell commands, this materially increases the blast radius of prompt injection, agent mistakes, or malicious downstream instructions by turning guarded operations into silent execution.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script emits status messages to `openclaw system event`, which is an additional outbound communication path beyond Discord/Telegram relay. Even though the payload is limited to agent name, workdir, and exit status, this creates an undisclosed telemetry channel that may leak sensitive project paths or operational activity to another bus or controller.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script exposes administrative actions to install, update, uninstall, allowlist, and optionally restart an OpenClaw enforcement plugin, which materially exceeds the advertised scope of a streaming/relay skill. Even if intended for enforcement, bundling host-level plugin management into a chat-invokable skill creates a privileged control path that can alter host behavior and security posture.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script can restart the OpenClaw gateway via maybe_restart_gateway, which is a host-control operation with availability impact. In the context of a streaming skill, restart capability is unnecessary and dangerous because it allows service disruption and immediate activation of newly installed components.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads and modifies the OpenClaw plugins.allow configuration, automatically adding its plugin to the allowlist. Auto-allowlisting reduces the security boundary around plugin loading and can normalize unauthorized persistence or activation of bundled code without an independent trust decision by the operator.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script silently falls back to reading a Telegram bot token from a local OpenClaw config file and then uses it to post network messages. That expands the skill's credential access beyond explicit runtime inputs, which is risky for a relay tool because it can exfiltrate session content through credentials the user did not intentionally provide to this invocation.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script invokes coding agents with highly permissive execution modes, including Claude's '--dangerously-skip-permissions' and Codex '--full-auto'. That gives the agent broad ability to read, modify, and execute within the checked-out repository and host context, which exceeds a streaming-only skill and creates real risk if the reviewed PR or prompt induces harmful tool use.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script can post AI-generated review comments directly to GitHub using the caller's authenticated gh context. This is a write-side effect not disclosed by the streaming-focused description, and if the agent output is incorrect, prompt-injected, or manipulated, it can publish misleading or unsafe content into the PR.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script can perform enforcer installation and trigger an OpenClaw gateway restart, which are host-level administrative actions materially beyond the stated purpose of streaming coding sessions to chat platforms. This creates a dangerous capability mismatch: a user invoking a seemingly benign messaging/relay skill may unexpectedly cause software changes and service interruption on the host.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill executes local shell commands and guard/enforcer administrative actions despite being described as a session streaming/relay tool. In context, this makes the behavior more dangerous because operators may reasonably approve or auto-run the skill expecting message routing, not host configuration changes or local command execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to stream coding-agent output, including tool calls, file writes, bash commands, and results, to Discord or Telegram, but it does not present a prominent up-front warning that sensitive code, secrets, internal paths, or command output may be disclosed to third-party platforms. In this context, the core function itself is data exfiltration-by-design unless users are clearly informed and given controls to minimize exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This documentation explicitly states that coding-agent sessions can stream file writes, file reads, bash commands, command output, web searches, reasoning traces, and summaries to Discord or Telegram. Even though redaction and safe mode are mentioned, the default behavior still describes transmitting potentially sensitive development data to third-party messaging platforms without a prominent privacy warning or explicit consent guidance, creating a real risk of unintentional data leakage.

Missing User Warnings

High
Confidence
99% confidence
Finding
These instructions disable Claude Code permission prompts globally without any balancing warning, effectively training users to weaken system-integrity protections for convenience. Because this skill is designed to relay live coding-agent sessions, users are likely to run powerful tools and commands, making silent approval bypass especially risky if the agent is induced to write files, execute shell commands, or handle secrets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
At session start, the relay posts the full invoked command and later forwards agent output to Discord or Telegram, but there is no runtime confirmation or warning to the user before exfiltrating potentially sensitive prompts, paths, flags, or output. In a coding-agent context, this is more dangerous because command lines and streamed results often contain secrets, proprietary code, file paths, or internal infrastructure details.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script obtains a Telegram bot token from local configuration without any visible warning in this code path and immediately uses it to send data externally. In a tool that streams coding sessions, that makes accidental disclosure of code, prompts, and tool output more likely because outbound messaging can occur with ambient credentials rather than explicit operator intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When safe mode is off, the default stream log mode is 'full', causing raw JSONL agent streams to be persisted to disk. Those streams can contain prompts, tool inputs and outputs, file contents, command output, secrets, tokens, or other sensitive project data, creating a confidentiality risk if logs are accessed later, backed up, or collected by other systems. The skill context increases risk because this tool is explicitly designed to relay coding-agent sessions, which often include proprietary code and credentials.

Ssd 1

High
Confidence
99% confidence
Finding
The documented configuration modifies a global Claude Code settings file to bypass permission prompts and allow all actions, affecting more than just this skill invocation. That creates persistent unsafe defaults across future sessions, so any later agent task can execute high-risk operations with reduced user oversight.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal