ClawHub

Claw Connector

Security checks across malware telemetry and agentic risk

Overview

This peer-collaboration skill is mostly coherent, but it needs Review because it has broad network, memory, background-listener, and cross-agent context behavior with some unclear or inconsistent controls.

Install only if you are comfortable with a skill that stores local identity keys, reads and writes collaboration memory, injects peer and commitment summaries into session context, uses an external or token-specified relay, and may run a long-lived listener or optional cron reminder. Treat Diplomat Address tokens as sensitive, review relay URLs before connecting, and manually verify inbound proposals instead of relying on the check-in-based accept prompt.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requests or describes broad capabilities including file reads/writes, network access, shell execution, and environment interaction without declaring scoped permissions. That creates a large implicit trust boundary, making it harder for users or the platform to understand and constrain what the skill can do, especially since it modifies local files, installs dependencies, and communicates with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds the advertised purpose: beyond peer negotiation it manages keys, modifies persistent memory/heartbeat files, installs cron jobs, performs notifications, and appears to encompass relay/server-style functionality and task handoff features. This mismatch is dangerous because users may install a seemingly narrow coordination skill while unknowingly granting a much broader operational footprint and persistence on their machine.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill claims relay-only encrypted coordination, but it also installs a local cron job and may send notifications through the OpenClaw CLI over external messaging channels. That expands data exposure beyond the stated encrypted relay path and can leak sensitive task metadata or reminders into other channels with different security properties.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
System cron persistence and cross-channel notification delivery are powerful capabilities not clearly necessary for basic encrypted peer negotiation. These features increase attack surface and persistence, and they create additional avenues for accidental data disclosure or abuse if the skill or its dependencies are compromised.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The trusted-peer proposal prompt tells the user to accept by running `/claw-diplomat checkin ${shortId} done`, which appears to be a status/completion command rather than a proposal-acceptance action. This can cause state confusion, incorrect workflow transitions, or accidental completion of the wrong session if a user follows the UI literally; because the command is generated from external ledger data, it also increases the risk of unsafe or unintended user actions.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The file implements a HANDOFF message path that accepts and persists peer-supplied task context, completed work, and remaining work, even though the declared skill scope only mentions negotiation, commitment tracking, and reminders. This scope expansion increases the attack surface because another agent can inject workflow context into the ledger and logs, potentially influencing human decisions or downstream automation that trusts the recorded handoff data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The natural-language activation phrases are broad enough to overlap with normal conversation, which can cause unintended skill activation in response to benign user text. In a skill that performs network actions, writes local state, and manages commitments, accidental invocation can lead to unauthorized operations or social-engineering-assisted workflow manipulation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This bootstrap hook automatically injects connected peer identities and active commitment details into every session context without explicit user awareness or per-session consent. Even though the content is treated as data and not executed, it exposes relationship metadata and task details to the agent by default, which can lead to unintended disclosure, prompt-surface expansion, and privacy leaks if the agent later echoes, summarizes, or acts on that context in ways the user did not expect.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The live relay tests generate identity tokens and send them to a real external relay when `--relay` is used, which can disclose test identities and metadata to a third-party service. While this is gated behind an explicit flag, there is no strong runtime warning or confirmation at the execution point, so operators may not fully appreciate that network transmission is occurring.

Session Persistence

Medium
Category
Rogue Agent
Content
3. Write public key hex to `skills/claw-bond/diplomat.pub` → chmod 644
4. Initialize `peers.json` as `{"peers":[]}` and `ledger.json` as `{"sessions":[]}`
5. Append `## Diplomat Deadline Check` block to `HEARTBEAT.md` (idempotent — check for duplicate first)
6. Register cron entry for proactive deadline alerts (Path A). If cron is unavailable, log a warning and continue — Path B (heartbeat fallback) will still work.
7. Show:

```
Confidence
93% confidence
Finding
Register cron entry for

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal