ClawHub

ClawHub Skill Installer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ClawHub skill installer, but it can overwrite local skills and has unsafe command-execution paths that need review before use.

Only use this in an isolated or disposable OpenClaw profile until it is fixed. Before running it, change the hardcoded skills path, replace shell-string execSync calls with argument-array process execution, validate skill names, add confirmation or backups before overwriting, and verify the source of any skill ZIP you install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The search fallback builds a shell command with untrusted user input (`query`) and executes it via `execSync`, which creates a command injection path if shell metacharacters are supplied. Because this is an installer utility that users are likely to run locally with filesystem access, exploiting this could lead to arbitrary command execution on the host.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
Using an external `unzip` subprocess is riskier than in-process extraction because it introduces dependence on PATH-resolved binaries and shell invocation semantics. Here the zip path is quoted, so direct injection risk is reduced, but invoking external tools in an installer broadens the attack surface and may behave unexpectedly across environments.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The install fallback executes `npx clawhub install ${skillName} --force` with user-controlled `skillName` embedded in a shell command, creating a direct command injection opportunity. This is especially dangerous because it occurs during installation, where users expect privileged local file modifications and may run the script with elevated trust.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes downloading, extracting, moving, and force-reinstalling skills into the user's skills directory, but it does not clearly warn that existing files or skill folders may be overwritten or modified. This can lead users to unintentionally replace installed skills or lose local changes, especially because installation paths and overwrite behavior are presented as routine operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installer deletes an existing target directory recursively and replaces it without confirmation, backup, or safety checks. If the target name is wrong, manipulated, or unexpectedly resolves to important content, users can suffer irreversible data loss or overwrite trusted installed skills.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This fallback not only lacks user-facing warning, but also executes a shell command constructed from user input, making it more than a transparency issue. Users may believe they are performing a simple API search while the script can instead invoke external tooling and execute arbitrary shell syntax.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback silently switches to running an external installer through the shell, without making users aware that third-party commands will execute. In this context, the lack of transparency compounds the command injection and supply-chain risk, since `npx` may fetch and run remote code.

Self-Modification

High
Category
Rogue Agent
Content
### Force Reinstall

Overwrite existing skill:

```bash
node install.cjs install todoist --force
Confidence
89% confidence
Finding
Overwrite existing skill

VirusTotal

No VirusTotal findings

View on VirusTotal