ClawHub

Canary

Security checks across malware telemetry and agentic risk

Overview

Canary is a defensive secrets scanner, but it asks for broad access to sensitive local files and can persist or change them, so users should review its scope carefully before installing.

Install only if you intentionally want a broad local credential-audit helper. Before running a deep scan, review the paths it will inspect, avoid pasting real secrets into chat, approve fixes one by one, and remember that .canary state, backups, and the ~/.openclaw/.canary_integrity marker may remain after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest frames the skill as scanning the OpenClaw environment, but the documented behavior expands far beyond that into home-directory, history, cloud credential, and local system file inspection. That scope mismatch weakens informed consent and can cause users to install a workspace security helper without realizing it will inspect highly sensitive personal files across the host.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The self-integrity design persists data outside the skill workspace into `~/.openclaw/.canary_integrity`, creating extra cross-scope state for a skill whose primary purpose is secrets scanning. That broader persistence increases the attack surface and grants the skill justification to write into agent config areas unrelated to scanning findings.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy section claims Canary only reads files likely to contain secrets, but the scan instructions include very broad locations like `~/Documents`, `~/Library/Application Support/`, and `~/.config/`. This inconsistency is dangerous because it understates how much personal data may be accessed and reduces meaningful user consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The system prompt explicitly limits the skill to advisory-only behavior, which directly conflicts with the manifest description claiming silent startup scanning and automatic fixing. This mismatch is dangerous because it misrepresents the skill's capabilities and trust boundary, potentially leading users or orchestrators to grant broader trust or permissions under false assumptions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises very broad natural-language triggers such as 'Run a security check' and 'Scan my environment', which are common phrases a user might say in unrelated contexts. Because this skill performs sensitive local secret scanning and may run silently on startup, accidental invocation could expose or process confidential local data without the user clearly intending to activate this specific capability.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill is designed to run automatically on every startup and silently inspect files without a narrow trigger tied to a user request. Automatic invocation of a secrets-scanning skill materially increases privacy risk because sensitive files and histories are accessed even when the user did not ask for a scan in that session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description of deep scan functionality does not provide a prominent upfront warning that it accesses highly sensitive sources such as shell history, chat/session history, SSH material, cloud credential stores, and local personal directories. Users may therefore authorize the skill without understanding the depth and sensitivity of the collection.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example prompts are generic phrases like 'Run a security check on my machine' and 'Am I leaking any secrets?', which are broad enough to activate the skill unintentionally in normal conversation. In a startup-running security skill, accidental invocation increases the chance that users are prompted to enumerate sensitive files and paste back security-relevant metadata without having deliberately opted in.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal