ClawHub

openclaw-behavior-plan

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only planning skill that can suggest sensitive actions, but it does not execute them or install hidden code.

Install this only if you want an agent to draft executable OpenClaw plans. Review every generated plan before running it, especially steps involving shell commands, file writes, secrets, calendar data, Slack/email posts, or other account actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to trigger on many generic planning or task-design requests, which can cause the agent to invoke this skill when a more specific or safer skill would be more appropriate. Overbroad activation increases the attack surface for prompt steering and can degrade tool-selection safety by routing unrelated requests into a planning workflow that may recommend powerful tools like shell execution.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill content is written to force Chinese-language output and does not provide a mechanism to respect the user's language preference. This can cause instruction conflicts, reduce operator visibility and reviewability in multilingual environments, and make it harder for users or downstream systems to validate sensitive planned actions, especially when the plan may include risky tool recommendations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example instructs the agent to read a local config.yaml and analyze it for secrets, but it does not warn that the full file contents may be exposed to the model and then echoed into a report. Config files commonly contain passwords, API keys, and tokens, so this creates a realistic risk of unnecessary secret disclosure or retention in downstream outputs.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The example plans to derive free/busy information from the user's calendar and send it to Slack without any privacy notice or confirmation about sharing scheduling data to an external channel. Even if only free slots are sent, this reveals availability patterns and potentially sensitive operational context to third parties or unintended recipients.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal