ClawHub

Conference Intern

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for conference event discovery and RSVP automation, but it needs Review because it can submit registrations and consent checkboxes using stored personal/session data without strong confirmation and URL scoping controls.

Install only if you are comfortable with an agent registering you for events using your name/email and saved answers. Review curated.md and event URLs before running registration, avoid untrusted Google Sheets, do not enable Luma login or scheduled monitoring unless you accept stored cookies/background checks, and delete luma-session.json/custom-answers.json when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires shell execution through multiple bash scripts, but the metadata only declares browser capability and omits an explicit shell/code permission declaration. That mismatch is dangerous because users or policy systems may underestimate the skill's ability to execute local commands, fetch remote content, and manipulate files, especially in a workflow that persists session data and performs registration actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The prompt explicitly instructs the agent to use `exec` with a heredoc to write the result file, which introduces shell-command execution into a workflow that only requires browser extraction and file output. Even if the target path is templated, expanding capability from page scraping to shell execution increases the attack surface and can enable command injection or unintended system interaction if any substituted variable or surrounding workflow is compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The setup prompt instructs the agent to perform an interactive Luma login flow and then export and persist session cookies to `luma-session.json`. Persisting authenticated browser session material materially expands the skill's capabilities beyond simple event discovery/setup and creates credential-handling risk if the file is exposed, reused, or insufficiently protected.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The prompt directs the agent to create a cron job for ongoing monitoring, giving the skill autonomous background execution beyond one-time setup. While aligned with the feature intent, automatic scheduling can surprise users and increases operational risk if the task runs without clear consent, visibility, or easy disablement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that it persists Luma session cookies and stores personal registration-related data, but it does not present a clear user warning or consent flow about that storage. Persisted authentication material and personal answers increase the risk of account misuse, privacy leakage, and unintended retention if the local environment is shared or compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises auto-registration and browser automation that act on the user's behalf, but it does not give a strong upfront warning that the agent may submit RSVPs and interact with third-party services automatically. In this context, that is especially risky because conference registrations can expose personal identity, create commitments, and trigger actions on external platforms without sufficiently explicit informed consent.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code silently injects USER_NAME and USER_EMAIL into an agent prompt used to fill and submit third-party event registration forms, without an explicit user-facing disclosure or confirmation at the moment of submission. In a conference-registration skill, this makes accidental disclosure more plausible because the skill automates submissions to external services and may register for multiple events in bulk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends event data plus user preference fields such as interests, avoid lists, and blocked organizers to an external `openclaw agent` process without any visible notice, consent gate, or data minimization. Even if this is core functionality, it creates a real privacy and data-handling risk because conference plans and preference profiles may be transmitted to a third-party model or service outside the local trust boundary.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script instructs an autonomous browser agent to open arbitrary Google Sheet URLs from configuration, read all event data, and write the extracted contents to a local temporary file without any explicit user notice, consent checkpoint, or data-minimization controls. In this skill context, conference-planning sheets may contain more than public event metadata (for example attendee notes, internal planning comments, invite-only links, or contact details), so the agentized extraction can unintentionally copy sensitive spreadsheet contents to disk and into downstream processing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The prompt directs the agent to modify the filesystem, including writing the result file and updating the knowledge file, without any user-facing disclosure or consent mechanism. In an agent setting, undisclosed file writes reduce transparency and can surprise operators, especially when combined with shell-based `exec`, making misuse or accidental overwrite harder to detect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt instructs the agent to load authenticated Luma session cookies from a local file and use them automatically, but it provides no user-facing disclosure, consent check, or scoping restrictions. This enables silent reuse of an authenticated session against a third-party service, which can expose the user's account context and allow unintended actions if the cookie file is stale, overprivileged, or copied from another session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to fill and submit external registration forms using personal data from config.json without a clear warning that data will be transmitted to third-party event organizers. In this context, the action is expected business logic, but it is still risky because automatic submission can disclose personal information and perform externally visible actions without an explicit confirmation boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt explicitly directs the agent to submit an external registration form and write a local result file, but it does not require any user confirmation, preview, or warning before taking those side-effecting actions. Even if this is the intended workflow, it creates a real risk of unauthorized registrations, accidental consent to event terms, and silent modification of local files if the skill is invoked with incorrect context or on the wrong page.

Missing User Warnings

High
Confidence
96% confidence
Finding
The instructions collect personally identifiable information (name and email) and also direct storage of authenticated Luma session cookies, but provide no privacy notice, retention policy, or security guidance. This combination creates a meaningful confidentiality risk because both PII and live session artifacts may be written to local files where they could be leaked, mishandled, or reused for account access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions create persistent scheduled execution without an explicit warning that the skill will keep running automatically after setup. This is dangerous from a user-consent and transparency standpoint because users may unknowingly authorize continuous monitoring and future actions, especially in a skill that can discover and potentially register for events.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal