ClawHub

Hey summon - provider

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it needs review because it runs persistently, uses a local OpenClaw gateway token, forwards replies externally without confirmation, and logs sensitive data.

Install only if you trust the publisher and are comfortable with a background watcher using your local OpenClaw gateway token to send notifications. Use a dedicated HeySummon provider key and notification target, avoid sending secrets or regulated data in replies, monitor or delete ~/.heysummon-provider event logs, and stop the watcher with the teardown script when not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads a bearer token from an unrelated local application context (~/.openclaw/openclaw.json) and then uses it to invoke that application's tool gateway. This crosses trust boundaries and gives the watcher the ability to act through another privileged local service without explicit user consent or scoped credentials.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A watcher that is expected to listen for events also invokes a separate local tool gateway to perform actions, effectively turning passive event intake into active capability execution. If event content or configuration is abused, this expands the blast radius from notification logic into a broader local tool ecosystem authenticated by a bearer token.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent or user to execute local shell scripts (`setup.sh` and `teardown.sh`) without any warning, review guidance, or trust boundary explanation. Even though the scripts may be legitimate, encouraging execution of repository-local code is dangerous because a modified or malicious script could run arbitrary commands on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill says replies should be forwarded immediately via `reply-handler.sh` with no confirmation, but it does not warn that user content will be sent to an external platform. This creates a real risk of unintended data exfiltration, especially if users reply with sensitive operational details assuming the message stays local.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script logs the first 15 characters of the API key at startup. Partial credential disclosure can aid correlation, troubleshooting by unauthorized observers, and secret reconstruction in environments where logs are shared, persisted, or aggregated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Raw event payloads are appended to a local JSONL file in the user's home directory without access controls or disclosure. These events may contain message previews, identifiers, and other sensitive workflow data that can be exposed to other local users, backups, or forensic collection.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script deletes/restarts a pm2 process or kills an existing PID and writes log/PID files without interactive confirmation or prior warning. In a skill/install context, silently modifying persistent processes can surprise users, disrupt unrelated operations if names/PIDs collide, and make persistence less transparent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal