ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This skill transparently reads OpenClaw dream-memory files, turns them into short poems, and publishes them to a configured site, with the main trust risks disclosed.

Install only if you trust the configured siteUrl and are comfortable publishing distilled REM-derived poems there. Keep ~/.openclaw/skills/dreaming-claw/config.json private because it contains a publishing key, and ensure DREAMING_REM_DIR or config.json.remDir points only to dream/journal content you are willing to summarize and publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes reading environment variables/local configuration and making outbound network requests. This is dangerous because it hides sensitive capabilities from users and reviewers, reducing informed consent and making data exfiltration or unexpected registration flows easier to smuggle in under a benign description.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill's stated purpose understates several higher-risk behaviors: remote agent registration and key storage, local config discovery, filesystem scanning across multiple candidate paths including legacy files, and local state tracking. Even if intended for convenience, this mismatch is dangerous because users may authorize a poetry/publishing helper without realizing it inventories local files, provisions credentials remotely, and persists sensitive operational state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script reads secret configuration values from a local file, including an API-style key, and automatically sends them to a remote endpoint via the X-Agent-Key header and request body metadata. That behavior is core to publishing, but there is no in-code disclosure, destination allowlisting, or validation of the configured endpoint, so a misconfigured or malicious endpoint could receive the credential and associated user data without additional user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow sends agentId, agentName, and operatorName to a remote endpoint without an explicit pre-disclosure or consent prompt at the moment of transmission. This creates a privacy and transparency issue, especially because siteUrl is user-influenced and could direct data to an unexpected server.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persists registration data including a secret key to local files under the user's home directory without warning about storage location, retention, or file permissions. If the host is multi-user, backed up, or otherwise exposed, this secret may be recovered and used to impersonate the agent or publish on its behalf.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal