ClawHub

Claw Audit

Security checks across malware telemetry and agentic risk

Overview

ClawAudit appears to be a legitimate security tool, but it needs review because it can inspect sensitive host security areas and has an easily abused scan-skip marker.

Install only if you want both an OpenClaw audit and a broad local host-security audit. Run it least-privileged first, avoid granting shadow-group, docker, or sudoers access unless you accept the extra exposure, prefer dry-run or interactive auto-fix, and do not treat .claw-audit-trusted as a reliable trust boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script’s declared purpose is an OpenClaw security scanner, but it performs broad host reconnaissance across SSH, firewalling, Docker, PAM, kernel settings, mounts, logging, and other OS controls. That is an unnecessary expansion of privilege and data access for a skill that could reasonably be expected to inspect OpenClaw configuration and installed skills only, creating substantial privacy and abuse risk if invoked in an agent context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section reads or probes highly sensitive authentication state, including /etc/shadow metadata and account password conditions, which exceeds what users would expect from an OpenClaw skill audit. Even if the script does not exfiltrate contents, accessing password databases and account state materially increases exposure of credential-related data inside the agent runtime.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script enumerates Docker daemon state, running containers, privileges, namespace settings, and mounts. For a skill described as auditing OpenClaw security, this container reconnaissance is broader than necessary and can reveal sensitive infrastructure details or be repurposed to map the host environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The scanner unconditionally skips any skill containing a .claw-audit-trusted marker file, but there is no verification of who created that marker or whether the skill is actually trusted. A malicious skill can simply ship that file and evade all scanning, which directly undermines the purpose of the security tool and can hide high-severity threats.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises activation on broad security-related keywords such as 'safe', 'scan', 'audit', and 'secure', which can overlap with ordinary conversation and cause unintended invocation. In a security-oriented skill that can run shell and Node scripts, overbroad triggering increases the chance that the agent enters a privileged scanning/fix workflow when the user did not clearly request it.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance maps vague phrases like 'scan', 'check security', or 'how safe is my setup' directly to executable commands without clear boundaries on what will be scanned or whether the user intended a full audit. This ambiguity is risky because the skill can launch multiple local analysis scripts and potentially lead to unnecessary access to skills, configuration, or integrity data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest explicitly advertises "auto-fix" and "watch mode that scans new skills in real time" but does not disclose that the skill may modify system configuration or continuously inspect installed content. In a security tool context, users may grant broad trust and permissions, so missing warnings about system changes and privacy implications can lead to uninformed consent and unexpected modification of security settings.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script loads configuration from HOME-derived paths and later reads sensitive local files such as SSH configs, authorized_keys, and /etc/shadow as part of its audit workflow. In a security-audit skill this access is functionally relevant, but there is no explicit consent boundary, minimization, or warning before inspecting credential-related files, so the behavior could expose sensitive data in contexts where users do not expect such deep host inspection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper functions execute many host commands and support sudo fallback, including docker inspection and firewall/status queries, without any built-in runtime warning or confirmation gate. In an agent skill context, invoking privileged subprocesses on the host materially increases risk because a user may trigger the tool through natural-language requests without realizing it can probe privileged system state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs sensitive reads and privileged probes with no user-facing disclosure that it will inspect OS security posture, Docker state, SSH keys, or /etc/shadow-related information. In an agent ecosystem, lack of disclosure is dangerous because users may trigger the skill expecting a narrow application audit, not host-level security inspection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal