ClawHub

OpenClaw Mobile Pair

Security checks across malware telemetry and agentic risk

Overview

This skill is for pairing a phone app, but it relies on a missing PowerShell script that would automatically use a local gateway token and copy sensitive pairing data.

Review this before installing or invoking it. Obtain and inspect the missing generate-mobile-pairing.ps1 script, confirm the BFF URL is trusted, and understand exactly where the gateway token, pairing code, output file, and clipboard contents go before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description promises one-click generation and explicitly mentions automatically reading the local gateway token, but it does not define any gating conditions, confirmation step, or scope restrictions. In a user-invocable skill, broad auto-action wording can encourage sensitive local access without informed consent, increasing the chance of unintended credential use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description says it will automatically read the local gateway token but gives no warning that it is accessing a sensitive local credential. That omission is dangerous because users may invoke the skill without understanding that a secret is being harvested from the host and used to generate a pairing artifact that may enable downstream account or device access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow directs execution of a PowerShell script with ExecutionPolicy Bypass and CopyToClipboard, but does not warn the user about running local code, policy bypass, or clipboard side effects. This is risky because it normalizes bypassing PowerShell protections and may place sensitive pairing data into the clipboard where other applications or users could access it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal