ClawHub
Back to skill

Security audit

Security Monitor V15 T33

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local security-audit tool, but its reports should be handled as sensitive system information.

Install only if you intend to audit a Linux/Unix system you administer. Prefer targeted directories, avoid unnecessary sudo or continuous mode, restrict permissions on saved logs, and redact scan reports before emailing or sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly recommends scanning OpenClaw directories for secrets and printing the generated report, but it does not warn that the report itself may contain discovered API keys, passwords, tokens, or sensitive file paths. In practice, users may paste, store, or share these outputs insecurely, turning a defensive scan into a secondary disclosure channel.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Cron examples write full scan output to a log file and email the report, but the README does not warn that these reports may contain sensitive system state, secret material, suspicious command lines, or indicators of compromise. Logging and emailing such content can broaden exposure to anyone with log access, mail access, backups, or transit visibility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs scanning for secrets, logs, and other sensitive system artifacts, but it does not warn that the generated report or JSON output may itself contain private data such as credentials, tokens, usernames, paths, or log contents. In a security-analysis context this is risky because operators may copy, store, or transmit the output to less trusted locations, turning detection into secondary data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal