ClawHub

Moses Audit

Security checks across malware telemetry and agentic risk

Overview

The skill mostly fits an audit-ledger purpose, but it appears to write governance recovery state in addition to logging, which gives it more influence than a user would expect from a ledger helper.

Review before installing. This skill may be acceptable if you specifically want a local audit ledger with signed entries, but only install it if you are comfortable with it writing persistent files and if you understand why it needs an operator secret. Ask the publisher to separate governance recovery-state updates from logging, document exact file paths and environment variables, and provide clear user control over retention and recovery flags.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and instructs use of environment variables and persistent file writes, but no explicit permissions are declared. In an agent environment, undeclared access to secrets like MOSES_OPERATOR_SECRET and writes to ~/.openclaw paths reduce transparency and can enable secret exposure, covert state changes, or unauthorized persistence that operators did not knowingly approve.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a simple audit ledger, but the skill behavior includes additional hidden or underdocumented capabilities: reading recent entries, HMAC attestation with an operator secret, provenance tracking, and modification of governance/progress state. Behavior that affects recovery flags or uses secrets outside the stated purpose materially increases risk because operators and downstream agents may trust the skill for logging while it also influences control flow and persistent governance state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The audit helper is not limited to append-only logging: on certain outcomes it also mutates a separate governance progress file by setting recovery flags. That creates hidden side effects outside the advertised audit boundary, so invoking a logging action can influence broader system state and downstream agent behavior.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The code comments claim the chain is rooted in a fixed lineage anchor, but verification actually seeds from the first entry's previous_hash and never checks that it matches a trusted anchor. This weakens trust in the chain origin because an attacker can create a new ledger with an arbitrary genesis predecessor and still pass verification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill persistently writes action details, outcomes, hashes, and failure-state metadata to local files under the user's home directory without any confirmation or transparency mechanism. In an agent setting, this can silently retain potentially sensitive operational data and create privacy, compliance, and forensic exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal