DocClaw

Security checks across malware telemetry and agentic risk

Overview

DocClaw appears to be a legitimate OpenClaw documentation helper that fetches and caches docs from the official docs host without credential access or hidden behavior.

Install this if you want OpenClaw documentation lookup and are comfortable with included Python scripts running on demand, fetching from docs.openclaw.ai, and writing local index/cache files. Treat fetched documentation as reference material, and review the scripts first if source provenance matters to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to run shell commands, read local files, refresh indexes, and perform network fetches, but the manifest does not declare any corresponding permissions. This creates a mismatch between the advertised trust boundary and the actual capability surface, making it easier for operators to approve or execute a skill without understanding that it can access the filesystem, spawn commands, and reach the network.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal