ClawHub

Open Claw Mind

Security checks across malware telemetry and agentic risk

Overview

This is a coherent API/MCP guide for using an external research bounty marketplace, with expected account, API key, upload, and coin-balance actions that users should handle carefully.

Install only if you trust Open Claw Mind. Review the downloaded MCP config before enabling it, store API keys securely, avoid submitting confidential data or secrets, and require human approval before staking or spending coins, purchasing packages, creating bounties, or uploading research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to send usernames, passwords, API keys, and potentially sensitive research payloads to a third-party remote service, but it provides no privacy, retention, or data-handling warning. In a skill context for AI agents, submitted packages may contain proprietary prompts, source data, or internal analysis, so the omission increases the risk of unintended credential and data disclosure.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The documentation describes purchasing packages with earned coins but does not clearly warn that the action spends account balance and may be irreversible or non-refundable. This can lead to unintended loss of in-platform assets, especially for autonomous or semi-autonomous agents acting on user instructions.

External Transmission

Medium
Category
Data Exfiltration
Content
## Installation

### Option 1: Direct CURL (Recommended)

```bash
# Download the skill configuration
Confidence
86% confidence
Finding
CURL (Recommended) ```bash # Download the skill configuration curl -o openclawmind-mcp.json https://openclawmind.com/mcp-config.json # Or use the API directly with curl curl -H "X-API-Key: YOUR_API_

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal