ClawHub

Openclaw Skills

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it needs review because it can send episode audio to OpenAI and publish through a logged-in Instagram account with weak runtime guardrails.

Install only if you are comfortable letting this skill process local media, use your OpenAI API key, and operate an already logged-in Instagram browser session. Run preview/dry-run first, do not allow --post until you have checked the preview and target account, avoid confidential episodes, and delete retained /tmp screenshots and staged uploads afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs local file creation/modification and shell-based media processing, yet no explicit permissions are declared. That creates a trust and containment gap: a caller may approve a seemingly simple content skill without realizing it can write arbitrary files and invoke local tooling like ffmpeg and browser helpers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends episode audio for Whisper transcription and may use external image-generation services, but it does not provide a clear user-facing privacy disclosure or consent checkpoint before transmitting potentially sensitive media and transcript content off-device. This is dangerous because podcast recordings may contain unpublished material, guest PII, or confidential business information that gets exposed to third-party processors unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script captures a full screenshot of an Instagram composer page and writes it to /tmp, which can include sensitive draft content, uploaded media previews, account information, or other browser-visible data. In this skill's context, the page is specifically handling social media posting workflows, so silent screenshot capture increases the risk of unintended collection and retention of private user content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script will publish to Instagram whenever the --post flag is present, with no final confirmation, dry-run default, or user-verification step immediately before the irreversible action. In an agent context, this is dangerous because a mistaken parameter, prompt injection elsewhere in the workflow, or unsafe chaining could cause unintended public posting from the user's authenticated Instagram session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code uploads user audio chunks to OpenAI's external transcription API, but the script itself provides no explicit notice, consent gate, or configurable opt-in before transmitting potentially sensitive podcast content off-host. In a content-processing skill, that is a real privacy/security issue because episodes may contain unpublished material, personal data, or client-owned media that the operator may assume is processed locally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The single-shot path also transmits the full extracted audio file to an external API without any user-facing warning or confirmation. Because this skill is designed to process full podcast/video episodes, the amount of potentially sensitive or copyrighted content sent externally is substantial, making undisclosed transmission a legitimate privacy concern.

External Transmission

Medium
Category
Data Exfiltration
Content
ffmpeg -y -i "$AUDIO_FILE" -ss "$START" -t "$CHUNK_DURATION" -acodec libmp3lame -ar 16000 -ac 1 -b:a 64k "$CHUNK_FILE" 2>/dev/null
        
        # Transcribe chunk
        RESPONSE=$(curl -s https://api.openai.com/v1/audio/transcriptions \
            -H "Authorization: Bearer $OPENAI_API_KEY" \
            -F file="@$CHUNK_FILE" \
            -F model="whisper-1" \
Confidence
88% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
else
    echo "==> Audio file is ${FILESIZE} bytes, transcribing in one shot..."
    
    RESPONSE=$(curl -s https://api.openai.com/v1/audio/transcriptions \
        -H "Authorization: Bearer $OPENAI_API_KEY" \
        -F file="@$AUDIO_FILE" \
        -F model="whisper-1" \
Confidence
88% confidence
Finding
https://api.openai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal