ClawHub

skill-isolator

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate project-skill-management purpose, but it can install skills and even run shell-injected commands from project configuration without enough user review or validation.

Review any .openclaw-skills.json before running this skill, especially in repositories you do not fully trust. Avoid auto-sync for untrusted projects, do not force-install flagged skills without manual review, and prefer a fixed version that validates skill names and uses safe argument-based command execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports installing skills from registry, git, local filesystem, and URL sources, including automatic loading and syncing, but it does not warn users about supply-chain risk, untrusted code execution, or integrity verification. In this context, silently normalizing remote skill installation is dangerous because skills may contain adversarial instructions or code and can be pulled into the local environment with little scrutiny.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation enables automatic synchronization on project entry and auto-installation when a skill is missing, but does not clearly disclose that this can modify local skill directories without a separate approval step. In a project-based auto-load mechanism, merely changing into a directory could trigger installation of unreviewed skills, increasing the chance of supply-chain compromise or unexpected filesystem changes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The FAQ explicitly recommends using a force flag to install skills already marked as suspicious, without requiring manual review or warning about trust implications. In a skill manager that installs project-scoped capabilities from external sources, this can directly bypass a security safeguard and increase the chance of loading malicious skills into the user's environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tutorial tells users to download a remote JSON file with curl and immediately copy it into .openclaw-skills.json, then sync skills, without any trust, integrity, or review step. In this skill-isolation context, that configuration can control which external skill sources and packages are installed, so an attacker controlling the remote repository or response could cause users to load untrusted skills or altered sources.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users to enable auto-sync and project-based skill installation, which can modify the local project state and fetch/install skills from registry, git, filesystem, or URL sources. Without an explicit warning about side effects and trust boundaries, users may trigger unreviewed code/content installation in sensitive repositories or environments.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The troubleshooting guidance tells users to run `rm ~/.openclaw/cache/skills.json` without noting that it permanently deletes a local file. While scoped to a cache path, it is still a destructive command and normalizes deletion without confirmation or backup guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically reads a project-local .openclaw-skills.json and then executes `clawhub install ${skillName}${versionSpec}${forceFlag}` via `execSync` with no user confirmation, no allowlist, and no validation or escaping of `skillName`/`version`. Because the configuration is discovered from the current directory tree, opening or running this in an untrusted repository can trigger unintended package installation and, if shell metacharacters are accepted in the config values, potentially command injection or arbitrary local command execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal