ClawHub

progress-selfcheck

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly upfront about progress reporting, but it can run stored local commands automatically on a silent schedule with weak safeguards.

Install only if you intentionally want scheduled background progress automation. Before enabling the cron job, verify the Feishu recipient, review what task and event details will be shared, disable or tightly limit auto-reactivation, and avoid storing broad or sensitive commands in the task ledger.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ["powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", ps]

    workdir = Path(cfg["workdir"])
    res = subprocess.run(cmd, cwd=str(workdir), capture_output=True, text=True, encoding="utf-8", errors="replace")
    if res.returncode != 0:
        raise SystemExit(f"openclaw message send failed rc={res.returncode}: {res.stderr.strip() or res.stdout.strip()}")
Confidence
91% confidence
Finding
res = subprocess.run(cmd, cwd=str(workdir), capture_output=True, text=True, encoding="utf-8", errors="replace")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not parts:
        return 2, "empty next"
    try:
        res = subprocess.run(parts, cwd=str(Path.cwd()), capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout_s)
        out = (res.stdout or "").strip()
        err = (res.stderr or "").strip()
        msg = out if out else err
Confidence
97% confidence
Finding
res = subprocess.run(parts, cwd=str(Path.cwd()), capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout_s)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file presents itself as a self-check/reporting script, but it also mutates task state by auto-reactivating tasks. That mismatch can mislead reviewers and operators, causing them to run a supposedly read-only diagnostic tool that performs side effects on workflow state without clear consent.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The docstring states external actions are blocked, but the code only checks for a few substrings before running arbitrary local commands. This creates a dangerous mismatch between documented safety guarantees and actual behavior, making it easy for a crafted command to evade the filter and still perform network communication or other external side effects via alternate binaries, encodings, or argument forms.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically invokes task reactivation based on derived eligibility without any user-facing warning, confirmation, or explicit opt-in in this file. In an agent skill context, hidden state changes can cause unintended workflow execution, task churn, or revival of sensitive/paused tasks simply by running a status check.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code sends a formatted report containing task titles, statuses, IDs, recent events, and operational alerts to an external Feishu target without any in-file disclosure, minimization, or sensitivity filtering. In a monitoring skill, these fields can easily contain internal project details or user data, so silent transmission expands the data-exposure surface substantially.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal