ClawHub

Failure Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill matches its monitoring purpose, but it can automatically change cron jobs and file permissions with weak safeguards.

Review before installing. Use only in a controlled OpenClaw environment until the hardcoded paths and Discord target are configurable, cron edits and chmod operations are constrained to trusted targets, shell interpolation is replaced with safe argument-based execution, and a dry-run or explicit approval step exists for permission and cron changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation makes a reassuring security claim that the skill only fixes configuration issues and does not modify code, but elsewhere it explicitly describes automatically changing script execute permissions with chmod +x. That contradiction can mislead operators into granting trust or deployment approval under false assumptions, and permission changes on scripts can materially alter what code is runnable in automated contexts.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code extracts a filesystem path from job-controlled content (`job.payload?.message`) and passes it into `execSync` as part of `chmod +x ${scriptPath}` without validation or safe argument handling. This allows arbitrary permission changes on attacker-influenced paths, and because it is executed automatically as part of repair logic, the cron-monitoring context makes it more dangerous by turning untrusted job metadata into privileged system modification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The auto-fix rule matches the generic string "Permission denied" and maps it directly to a permission-repair action without any scoping to file path, operation, or failure cause. In an automated failure-repair system, this can trigger on many unrelated errors and cause unsafe permission changes, potentially broadening access or masking real underlying issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The monitor performs a destructive system-modifying action (`chmod +x`) automatically with no user confirmation, warning, or approval step. In this skill’s context, that compounds the risk of the unsafe path handling by allowing immediate permission changes on detected failures, reducing the chance for a human to catch abuse or mistakes before they affect the host filesystem.

VirusTotal

No VirusTotal findings

View on VirusTotal