ClawHub

Hub1

Security checks across malware telemetry and agentic risk

Overview

Hub1/OpenClawdy is a real memory and reputation service, but it stores long-lived agent data and includes under-protected reputation/indexing actions and exposed secrets that require review before use.

Install only if you are comfortable with OpenClawdy retaining agent memories and associating them with a wallet address. Use a dedicated low-value wallet, do not store secrets or regulated personal data, verify the Hub1/OpenClawdy provider identity, and require human approval before exporting, clearing, sharing memories, or submitting reputation reports. If self-hosting, remove embedded credentials, set a strong JWT_SECRET, avoid localStorage for bearer tokens, and add authentication/authorization to reputation and indexing endpoints before exposing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains a hardcoded ACP API key directly in source code and uses it to make authenticated outbound requests. Any user with access to the repository, logs, or packaged artifact can extract and reuse the credential, enabling unauthorized access to the external ACP service and making credential rotation and audit difficult.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The route is documented as a read-only history endpoint, but it also triggers a billing-side state change by calling recordQuery when querierAddress is provided. This hidden side effect can cause consumers, caches, crawlers, or internal callers to invoke a GET request expecting safe retrieval while unintentionally creating billable events, which can lead to unauthorized charges or accounting abuse if querierAddress is not strongly authenticated and bound to the requester.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file’s stated purpose is to build reputation from on-chain transaction history, but the implementation treats any USDC transfer between known agent wallets as evidence of a completed job by setting status to 'completed' and incrementing seller success metrics. This allows reputation manipulation through self-payments, unrelated transfers, or collusive activity, creating a trust-integrity vulnerability rather than just a documentation mismatch.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes persistent storage of user conversations, preferences, and project context, but provides no privacy notice, retention policy, consent requirement, or warning about storing sensitive data. For a memory product, this omission materially increases the chance that agents will collect and retain personal or confidential information without appropriate safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document advertises 'Shared Knowledge Bases' across agents without any warning about cross-agent data leakage, tenancy boundaries, or consent controls. In a memory system, sharing dramatically raises the risk that one agent's stored secrets, user preferences, or project data become visible to other agents or operators.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently encourages persistent storage of user facts, preferences, decisions, and learnings but does not warn against storing secrets, regulated data, or other sensitive personal information. In a memory product, this omission can cause agents to over-collect and retain privacy-sensitive data across sessions, increasing exposure in case of compromise, export, sharing, or misuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The cross-agent memory pool feature describes shared storage as a benefit but does not clearly explain access boundaries, consent requirements, or the risk of exposing one user's or agent's data to other agents. Shared memory materially increases confidentiality risk because sensitive context may be propagated beyond the original scope and later recalled by unintended parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The memory export feature allows bulk extraction of all stored memories, yet the documentation omits a warning that exports may contain the full corpus of accumulated user and agent data. Without cautionary guidance, operators may generate insecure backup artifacts, transmit them unsafely, or store them in locations with weaker protections than the live system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes collecting, exposing, and publishing agent transaction history, counterparties, ratings, and trust metrics without any privacy notice, consent model, retention policy, or warning about public visibility. In a reputation service, this can lead users to unknowingly disclose commercially sensitive relationship data and behavioral metadata that may be harvested or correlated across transactions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The report API invites submission of feedback, ratings, and evidence references that directly affect another agent's reputation, but it does not warn that these submissions may be stored, surfaced to others, or have durable reputational consequences. Users may therefore submit sensitive or identifying content, including evidence hashes, without understanding disclosure, persistence, or abuse risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill promotes persistent remote storage of user and agent information but does not prominently warn that data is sent to an external service and retained across sessions. This can lead agents to upload sensitive preferences, context, decisions, or secrets without informed consent or data minimization, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The shared memory pool feature enables cross-agent data sharing, but the documentation does not strongly warn that content placed in a pool may become accessible to multiple agents or principals. An agent could therefore place sensitive user data, internal findings, or security-relevant context into a shared pool, causing confidentiality breaches and unintended lateral information exposure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Snapshot restore includes an overwrite mode that can replace current memory state, but the warning is not strong enough for a destructive operation affecting agent behavior and stored context. Misuse or prompt-induced invocation could erase current memories, reintroduce stale or poisoned state, or alter downstream decisions in ways that are hard to detect.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The outbound requests use a hardcoded API credential without any runtime disclosure, but the core security issue is the embedded secret itself. In this skill context, the script is designed to query an external API at scale, so exposing the credential is especially risky because it enables third parties to perform the same authenticated access unrelated to the operator's intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This endpoint sends user-provided memory content to external embedding/vector infrastructure via createEmbedding(body.content) and upsertVector(..., { content: body.content, ... }) without any visible consent flow, disclosure, or data-minimization in this code path. If users store sensitive secrets or personal data, that information may be exposed to third-party processors or retained in external systems beyond what the user expects.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The endpoint accepts unauthenticated, unverified request data and writes reputation-affecting transaction records directly to the database. An attacker can forge buyer/seller addresses, create arbitrary transactions, and later influence seller trust metrics through the PATCH flow, enabling reputation manipulation and denial of integrity in the reputation system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persists the session bearer token and cached memory data in localStorage, which is readable by any JavaScript executing in the origin. If an XSS bug or a malicious third-party script exists anywhere in the app, an attacker could steal the token and sensitive memory contents, leading to account/session compromise and privacy loss. The lack of user disclosure is secondary; the core security issue is insecure client-side persistence of sensitive data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples normalize direct use of a private key string in client-side sample code without a strong warning not to hardcode or expose real credentials. In the context of a 'use client' docs page for agent integration, this can lead developers to copy unsafe patterns, resulting in wallet compromise and unauthorized signing.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
GET /api/memory/export

// Clear vault
DELETE /api/memory/vault
```

---
Confidence
81% confidence
Finding
DELETE /api/memory/vault

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal