ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenClaw behavior and memory framework, but it installs persistent agent instructions and a weekly cron trigger with weak opt-in, backup, and rollback controls.

Install only if you intentionally want MoltCare to persistently change OpenClaw's default behavior and memory handling. Back up ~/.openclaw/workspace first, inspect the templates, avoid unpinned curl-to-bash installation, and remove or decline the cron audit entry unless you want weekly background trigger writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill advertises a configuration/framework install, but also introduces persistent scheduled behavior via cron and hidden file writes that are not clearly framed as system-modifying side effects. The claimed trigger architecture, semantic logic, and multi-expert behavior are largely documentation-only, creating a trust gap where users may consent to one thing while the skill performs additional persistence-related setup.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The checklist instructs users to configure a persistent weekly cron job that appends a trigger phrase into the workspace, creating autonomous behavior outside the immediate install/configuration flow. This is dangerous because it establishes ongoing background automation that may surprise users, expand the skill's operational scope, and repeatedly trigger agent actions without clear consent or manifest-level disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file defines a mechanism for persistent collection and retention of user preferences, including inferred attributes, that extends beyond the stated purpose of installing or configuring the agent framework. This creates unnecessary long-term data collection and expands privacy risk, especially because the stored data may accumulate across sessions without clear scope limitation or consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The pattern-recognition section enables behavioral profiling such as peak hours, dislikes, sensitivities, and confidence-based inference from observation, which goes beyond normal configuration and into ongoing user profiling. This is dangerous because inferred sensitive traits and routines can be collected without explicit disclosure, increasing privacy harm, manipulation risk, and the chance of storing incorrect but impactful assumptions about the user.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The document states that preferences are triggered by explicit phrases, but other sections indicate updates can also come from observation and inference. This ambiguity is risky because it weakens user expectations about when data is recorded and may result in silent collection beyond what the user reasonably understands.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer silently modifies the user's crontab to create a persistent scheduled task, which exceeds simple file/template installation and creates ongoing behavior after install. Even though the script labels this as 'optional', it proceeds automatically without explicit opt-in, which is risky because persistence mechanisms can surprise users and be abused if the workspace or trigger file is later manipulated.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This script installs a persistent scheduler capability for a framework/template installer, which is not strictly necessary for copying configuration files. Persistent automation increases attack surface because it causes future execution behavior outside the user's immediate awareness, and the scheduled action interacts with files in a user-controlled workspace.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to execute a remotely fetched shell script directly with `bash`, which bypasses review and gives the downloaded content immediate code execution on the local system. This is dangerous because repository compromise, DNS/CDN manipulation, or malicious updates to the script could lead to arbitrary command execution during installation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation steps copy files into auto-loaded workspace locations without explicit overwrite warnings, backup guidance at the point of modification, or confirmation before replacing existing configuration. This can silently alter agent behavior, erase prior user customizations, or install unsafe instructions into files that are automatically consumed in future sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron/audit setup creates persistent scheduled behavior and writes to a hidden trigger file in the workspace, but the documentation does not present this as a significant persistence change requiring explicit consent. Persistent automation can surprise users, repeatedly modify files, and create a foothold for future behavior changes if the watched trigger file is later repurposed.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The semantic trigger rules are broad and loosely defined, so normal conversation can unintentionally activate special modes such as priority escalation, memory recording, or PUA-style behavior. In an agent skill, ambiguous activation logic is dangerous because it changes system behavior without clear user intent and can cascade into persistence or more aggressive autonomous actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Multi-expert mode is enabled not only by an explicit phrase but also by broad topic categories like architecture or security, which are common discussion subjects. That makes privileged internal reasoning structure activate too easily, potentially increasing token use, exposing more internal decision paths, and causing the agent to behave differently than the user requested.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The startup flow directs automatic reading of dated memory files and optional memory search without a clear user-facing notice or consent boundary. This creates a privacy and data-handling risk because historical user data may be accessed automatically at session start, even when not necessary for the current request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document instructs the agent to automatically record preferences, constraints, interaction summaries, and learning debt into persistent memory stores, but does not warn users about retention, review, or deletion. This is dangerous because sensitive or behavioral data can accumulate over time and later influence responses or be surfaced outside the original context.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The daily review trigger includes a broad natural-language phrase ("检查token优化") that could plausibly appear in ordinary user requests, causing the skill behavior to activate unintentionally. In an agent framework that installs/configures proactive triggers and memory behaviors, overly broad activation increases the chance of unexpected actions, spurious audits, or context switching without clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using a broad everyday phrase like '搞定了' as a milestone trigger can cause unintended activation during normal conversation. In an agent framework with automatic triggers and follow-on evaluation behavior, this increases the risk of unsolicited actions, state changes, or memory/audit workflows firing without deliberate user intent.

Vague Triggers

Low
Confidence
79% confidence
Finding
The trigger phrase '检查token优化' is loosely scoped and can invoke an audit workflow without contextual constraints, especially when paired with the cron-based automation described elsewhere in the file. Although lower severity than a common colloquial phrase, it still enables accidental or repeated invocation of potentially costly or noisy behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are common conversational language and can activate memory or workflow behavior during ordinary discussion rather than through explicit user intent. In an agent framework that supports automatic rules and long-term memory, this can cause unintended state changes, memory pollution, or mode switching based on casual phrasing.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The role trigger phrases are broad enough to overlap with ordinary conversation, which can cause unintended loading of role templates and output constraints. In this skill, that matters because role templates can change behavior, suppress explanations, and alter how the agent responds without a clearly delimited user opt-in.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The multi-expert activation criteria include vague conditions like architecture design or situations with tradeoffs, without a hard boundary for when the mode should engage. That ambiguity can unpredictably alter reasoning style, increase prompt surface area, and make responses less controllable, which is a security and reliability risk in an agent configuration skill.

Vague Triggers

High
Confidence
96% confidence
Finding
The milestone trigger includes extremely common phrases such as “完成了”, “搞定了”, and generic statements of progress, which can cause the agent to run an evaluation and token-audit flow in response to ordinary conversation rather than clear user consent. In this skill context, that is dangerous because it can trigger unintended autonomous behavior and follow-on file writes or internal workflow execution during normal chat.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document configures automatic execution via cron that appends to ~/.openclaw/workspace/.audit-trigger, but it does not clearly disclose to the user that a scheduled background process will write to local files. Hidden or poorly disclosed autonomous file modification is risky because users may not expect persistent changes, and the write can become a primitive for chaining additional behavior in systems that monitor trigger files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly lists common credential storage locations such as ~/.env, ~/.ssh/, and an application credentials directory without any warning not to inspect, print, or transmit their contents. In the context of an agent skill that also advertises read/edit/exec capabilities, this materially increases the chance that an agent or user will access sensitive secrets during troubleshooting or setup.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example commands encourage reading local files directly from the OpenClaw workspace, including memory files that may contain sensitive user data, without caution about minimization or redaction. Because this skill is for configuring an agent framework with memory features, normalizing direct file reads makes oversharing and inadvertent data exposure more likely.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The auto-update trigger phrases (e.g. broad matches for '不要...', '禁止...', '绝不可以...') are generic enough to capture ordinary conversational text rather than deliberate policy updates. In an agent framework that stores and reuses constraints, this can let a user or prompt injection accidentally or maliciously persist unintended restrictions into memory, altering later behavior without clear authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal