ClawHub

Apprentice

Security checks across malware telemetry and agentic risk

Overview

This skill is local and purpose-aligned, but it stores learned workflows permanently and can replay generated shell scripts with more authority than its safety claims disclose.

Install only if you are comfortable with a local skill that records your narrated procedures into permanent workflow files and can run generated bash scripts. Do not teach it secrets, API keys, deployment credentials, destructive commands, or account-changing routines unless you have reviewed and edited the saved SKILL.md, observation.json, and run.sh files first. Treat replay as unsandboxed local execution unless your OpenClaw environment adds separate containment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print()
    try:
        result = subprocess.run(
            ["bash", str(run_script)],
            env=env,
            capture_output=False
Confidence
95% confidence
Finding
result = subprocess.run( ["bash", str(run_script)], env=env, capture_output=False )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises no required permissions while its documented behavior includes shell execution, local file writes, and workflow persistence. This under-declaration undermines user consent and security review, because a user may approve installation believing the skill is passive when it can later generate and run scripts that modify the system.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior overstates safety and capability while omitting materially risky functions such as subprocess execution, persistent artifact creation, and run-history logging. That mismatch can mislead users into demonstrating sensitive or destructive workflows under false assumptions, then replaying them automatically without understanding the true execution model.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security claim says no credentials are accessed, but the instructions explicitly encourage narrating sensitive values such as API keys during demonstrations. That means secrets may be captured into observation logs, workflow files, or prompts to the model, creating durable local exposure and possible downstream leakage through replay or sharing.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The skill claims the user reviews synthesis before saving, yet the documented file layout indicates raw observation data is already persisted locally during the session. This is a trust and privacy issue because sensitive data may be written before the user has a chance to reject or edit the workflow.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The manifest claims no environment variable access, but the runner copies the entire parent environment and passes it to the executed workflow. Any learned `run.sh` can therefore read secrets such as API keys, tokens, cloud credentials, or internal configuration from environment variables and exfiltrate or misuse them.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The documentation asserts there are no network calls, but the runner executes arbitrary shell scripts whose behavior is unconstrained and may include network access. This misrepresentation can cause operators to trust and deploy the skill under false assumptions, increasing the risk that a learned workflow performs data exfiltration or command-and-control activity unnoticed.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill's advertised purpose is watch-and-replay workflow learning, but the implementation grants a much broader capability: execution of arbitrary shell scripts stored under workflow directories. That creates a dangerous trust boundary failure where learned content becomes code, enabling persistence, destructive commands, credential theft, or lateral movement if a workflow is malicious or tampered with.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The start-observation triggers are extremely broad and conversational, including phrases like "Watch me" and "Learn this" that can occur in normal interaction. In a skill designed to capture user actions and synthesize reusable workflows, accidental activation could begin recording sensitive commands, files, or decisions without the user realizing the session has started.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The stop triggers are similarly ambiguous, with phrases like "Done" and "Got it?" that are common in ordinary conversation. This can terminate observation at the wrong time, leading to incomplete or corrupted learned workflows that may later be replayed incorrectly against the local system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes persistent observation and permanent replay of demonstrated tasks without prominently warning that the system may capture commands, file paths, repository URLs, operational habits, and other sensitive context. Because the core feature is to turn demonstrations into durable automation, insufficient disclosure increases the risk of users exposing or later re-executing dangerous actions on their machine.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Broad activation phrases like 'watch me' or 'learn this' can occur in ordinary conversation, making unintended observation sessions plausible. In this skill's context, accidental activation is more dangerous because it can trigger logging of sensitive narrated actions that later become executable workflows.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Stop triggers such as 'done' or 'that's it' are common conversational phrases and may terminate recording unexpectedly. This can produce incomplete or malformed learned workflows, increasing the chance that later automated execution omits safety-critical steps or captures a partial procedure out of context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not adequately warn that learned workflows may later perform shell commands and file modifications automatically. Users may demonstrate tasks casually, not realizing they are creating persistent automation that can execute destructive actions on replay or after small edits/generalizations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The observer persists narrated actions and raw step text to local JSON files, but the user-facing prompts only say the system is 'watching' and recording steps, not that this data will be stored on disk in a reusable workflow directory. In a watch-me workflow tool, users may narrate secrets, credentials, internal procedures, or sensitive business context, so silent local persistence creates a real privacy and data-handling risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly promises to preserve the user's "exact sequence, exact decisions, exact variables" and later stores workflows as persistent artifacts including SKILL.md, run.sh, and observation data. That design materially increases the chance that secrets, internal paths, repo details, tokens, or sensitive operational procedures demonstrated during teaching will be retained and replayable.

Ssd 3

Medium
Confidence
90% confidence
Finding
The trigger phrases explicitly encourage the agent to "remember" and later replay procedures, but no retention boundaries or secret-handling limits are described. In this context, memory and replay are not harmless convenience features: they can preserve sensitive inputs or privileged admin routines and make them executable later with minimal friction.

Ssd 3

High
Confidence
98% confidence
Finding
The README explicitly gives "Now I'm updating the config with the API key" as an example of good observation behavior, which normalizes narrating secrets during capture. In a system that records observations and generates persistent runnable workflows, encouraging users to speak or type API keys directly creates a clear pathway to credential leakage and later compromise.

Ssd 3

Medium
Confidence
95% confidence
Finding
The observation model encourages recording all narrated actions, decisions, and variable values, which can include personal, operational, or regulated data. Persisting that detail as logs and reusable workflows creates a long-lived local surveillance record that may be searched, copied, or unintentionally shared.

Ssd 3

Medium
Confidence
92% confidence
Finding
Promoting a persistent 'library of you' normalizes accumulation of detailed behavior history over time, increasing privacy risk and the blast radius of compromise. In this context, long-term retention is especially sensitive because the collected workflows may encode habits, infrastructure details, repository names, deployment practices, and other operational intelligence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal