OpenClaw Hot Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a ClawHub marketplace discovery helper, and its behavior is disclosed, scoped to searching/ranking skills, and gated before installation.

Install this only if you want ClawHub skill-discovery assistance and are comfortable trusting the `clawhub` CLI dependency. Expect it to contact ClawHub for rankings and check which skills are installed locally; review any recommended skill separately before confirming installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill advertises very broad trigger phrases like general requests for finding a skill or extending capabilities, which can cause it to activate in situations beyond its intended scope. That increases the chance the agent invokes external tooling unexpectedly, performs network-backed discovery, or steers the conversation toward installation workflows the user did not explicitly request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal