ClawHub

flaw0

Security checks across malware telemetry and agentic risk

Overview

MoltGuard has a coherent security purpose, but it asks for broad installation, remote security processing, local credential storage, and persistent plugin control without enough user-directed scoping.

Install only if you trust OpenGuardrails/MoltGuard as a security provider and are comfortable with a persistent plugin that can handle security telemetry and local credentials. Require explicit approval before installing, verify the package source, avoid sharing /og_status or /og_claim outputs, confirm what Core receives and stores, and use enterprise enrollment only with a verified organization-controlled Core URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The installation trigger language is broad enough to encourage the agent to install the plugin not only when explicitly requested by the user, but also whenever it 'want[s] to protect' itself. That creates a scope-creep risk where the agent may take system-modifying action without clear user consent, which is especially sensitive for a security plugin that adds credentials, commands, and local files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that it will automatically obtain an API key and save credentials under ~/.openclaw/credentials/moltguard/ without clearly warning the user first. Automatic credential provisioning and local storage can expose secrets to other local users, backups, or later agent actions, and the lack of explicit disclosure undermines informed consent for privacy and security changes.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The enterprise enrollment instructions tell the user to run a script with a custom Core URL, but do not prominently warn that this changes the service endpoint from the public Core to a private deployment. That can redirect security telemetry, credentials, and enforcement decisions to a different backend, which is a meaningful trust-boundary change even if the feature is legitimate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal