Security audit

ClawJobs

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward installer/configurer for ClawJobs, but users should understand that it stores a hub token in local OpenClaw configuration.

Install only if you intend to use ClawJobs and trust the hub you provide. Treat the hubToken like a credential: avoid sharing logs or diagnostic output that may include config, rotate the token if exposed, and use your own deployment values unless you deliberately choose the public demo.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to write a configuration object containing a sensitive hubToken into local OpenClaw config without requiring an explicit warning or confirmation that local configuration will be modified and that credentials will be stored on disk. Even though the hub values must be user-supplied, silently persisting a secret can expose it to local users, backups, logs, or later diagnostic output, especially because the skill also includes status/doctor flows that read and report config.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal