ClawHub

OpenClaw Business Starter

Security checks across malware telemetry and agentic risk

Overview

This is a real business-automation starter, but it installs ongoing jobs and broad agent instructions that can overwrite local agent files and act on private channels without enough safeguards.

Install only after editing it for your own environment. Back up ~/.openclaw/workspace first, replace all Tara/Kalin assumptions, review or disable the cron jobs, require approval for outbound messages, code pushes, financial actions, and memory/instruction changes, and use least-privilege credentials for any connected services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes autonomous logging to daily memory files, nightly knowledge extraction, long-term memory updates, and outbound Telegram/Discord briefings, but it does not clearly warn users that the skill will continuously collect, retain, and potentially transmit operational data. In a business-agent context, those logs can easily contain sensitive project details, identifiers, or personal/business information, so the omission meaningfully increases the risk of unintended data exposure and uninformed deployment.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The `read_when` triggers are very broad, such as 'Setting up a new OpenClaw agent for business operations' and 'Building an autonomous AI entrepreneur', which can cause the skill to be surfaced in many loosely related contexts. Because this skill performs setup actions and later describes scripts, workspace changes, and automation behavior, overbroad activation increases the chance of unintended invocation and user confusion about when potentially impactful setup guidance should apply.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not prominently warn, before installation, that setup creates a substantial workspace structure and auto-creates scheduled cron jobs. Users may run the install/setup steps without realizing the persistence and automation effects, leading to unreviewed file creation, scheduled task execution, and operational changes on the host environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uses multiple redirections and copies to fixed paths under the workspace, which will overwrite existing files such as SOUL.md, USER.md, AGENTS.md, HEARTBEAT.md, TOOLS.md, MEMORY.md, and the current daily note without any explicit confirmation or backup step. In a setup script for a user workspace, this can destroy or silently replace user-authored configuration and memory data, and the cron setup amplifies the effect by operationalizing the newly written files immediately.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly instructs the agent to write memories, lessons, and mistakes back into workspace files without requiring user confirmation or clearly scoping what may be modified. In an agent setting, this creates a persistence channel that can store attacker-influenced content, poison future context, overwrite trusted instructions, or leave unintended artifacts in the repository.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to access authenticated channels and process unread messages as part of an automated heartbeat, but it provides no explicit user-consent, privacy boundary, or approval requirement for monitoring private communications. This creates a real risk of unauthorized surveillance-like behavior and autonomous handling of sensitive messages, especially because the check is periodic and suppresses notification when "everything is normal."

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This skill is designed to autonomously modify multiple persistent memory and knowledge files as part of a scheduled job, but it provides no guardrails around scope, confirmation, or change review. In an agent setting, unattended writes to long-term memory can cause silent data corruption, privacy leakage between contexts, or persistence of incorrect/injected content that influences future behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instruction to automatically run re-index and embed commands introduces background command execution without any approval boundary or command allowlisting. If the underlying command path, input corpus, or tooling is compromised, this could trigger unintended code execution, excessive resource consumption, or indexing of sensitive data into searchable stores.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal