ClawHub

Technical Business Strategy Analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate business strategy analysis skill, but it needs review because it uses local API-key configuration and writes persistent files to fixed local paths.

Install only if you are comfortable with Tavily-backed web research and local storage of business analysis outputs. Before use, change the hardcoded output path, avoid storing real API keys in plaintext files when possible, restrict the Tavily key, and review generated reports before putting confidential strategy data into the workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is advertised as a business analysis workflow, but it also performs environment/configuration actions such as creating config directories and storing Tavily-related settings. This mismatch matters because users may invoke it expecting analysis only, while the skill also changes local state and prepares external access, reducing transparency and informed consent.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script explicitly depends on a global credential file in the user's home directory, creating a coupling to secrets outside the skill's own isolated scope. Even though it only checks for the file's existence and does not print the key, this expands the skill's access model and normalizes credential use unrelated to the core business-analysis logic.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script writes persistent files under ~/.config, which modifies user state beyond performing transient analysis. For an analysis skill, persistent home-directory changes increase risk because they can survive the current session, influence later behavior, and are not clearly necessary for a one-off analytical task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automatically writes reports and data to fixed paths under the workspace without an explicit confirmation step. Silent persistent writes can overwrite prior results, leak sensitive business inputs into disk storage, and create artifacts the user did not intend to retain.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs storage of a Tavily API key in a predictable local config path and performs external data retrieval without a clear warning about credential handling or network egress. Predictable plaintext credential storage and undisclosed outbound requests increase the risk of secret exposure, misuse of paid APIs, and unreviewed data transmission.

Credential Access

High
Category
Privilege Escalation
Content
echo "🔄 配置 Business Strategy Analysis 使用统一的 Tavily API Key..."

# 检查 ~/.openclaw/.env 是否存在
if [ ! -f "$HOME/.openclaw/.env" ]; then
    echo "❌ 错误: ~/.openclaw/.env 文件不存在"
    echo "请先配置 Tavily API Key: echo 'TAVILY_API_KEY=your_key' > ~/.openclaw/.env"
Confidence
85% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
echo "🔄 配置 Business Strategy Analysis 使用统一的 Tavily API Key..."

# 检查 ~/.openclaw/.env 是否存在
if [ ! -f "$HOME/.openclaw/.env" ]; then
    echo "❌ 错误: ~/.openclaw/.env 文件不存在"
    echo "请先配置 Tavily API Key: echo 'TAVILY_API_KEY=your_key' > ~/.openclaw/.env"
    exit 1
Confidence
72% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# 检查 ~/.openclaw/.env 是否存在
if [ ! -f "$HOME/.openclaw/.env" ]; then
    echo "❌ 错误: ~/.openclaw/.env 文件不存在"
    echo "请先配置 Tavily API Key: echo 'TAVILY_API_KEY=your_key' > ~/.openclaw/.env"
    exit 1
fi
Confidence
78% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
# 创建输出目录(绝对路径)
   OUTPUT_DIR="/home/Vincent/.openclaw/workspace/tech-insight/business-strategy-analysis/{主题}"
   mkdir -p "$OUTPUT_DIR"
   mkdir -p "$OUTPUT_DIR/data"
   
   # 验证目录创建成功
Confidence
84% confidence
Finding
mkdir -p "$OUTPUT_DIR" mkdir -p "$OUTPUT_DIR/data" # 验证目录创建成功 if [ ! -d "$OUTPUT_DIR" ]; then echo "Error: Failed to create output directory" exit 1 fi ``` 2. **执行针对性

Session Persistence

Medium
Category
Rogue Agent
Content
fi

# 创建配置目录(如果不存在)
mkdir -p ~/.config/business-strategy-analysis

# 创建域名白名单配置
cat > ~/.config/business-strategy-analysis/tavily_domains.json << EOF
Confidence
87% confidence
Finding
mkdir -p ~/.config/business-strategy-analysis # 创建域名白名单配置 cat > ~/.config/business-strategy-analysis/tavily_domains.json << EOF { "financial": ["finance.yahoo.com", "sec.gov", "statista.com", "ibis

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal