ClawHub

Usage Visualizer

Security checks across malware telemetry and agentic risk

Overview

This skill locally reads OpenClaw usage logs to make reports, with no artifact-backed evidence of exfiltration, deception, persistence beyond its usage database, or destructive behavior.

Install this only if you are comfortable with it scanning local OpenClaw/Clawdbot session logs for usage metadata and keeping a local SQLite usage database. Treat dependency installation and Chromium rendering as normal but meaningful local attack surface; prefer a trusted environment, keep dependencies current, and avoid custom output paths in sensitive directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable installation and runtime behavior that clearly imply shell execution, environment access, and file I/O, yet it declares no explicit permissions. This creates a transparency and policy-enforcement gap: users or hosting agents may approve or run the skill without understanding its real capabilities, increasing the chance of unintended file access or command execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims the skill is '100% local' and has 'zero network dependencies,' but installation requires `pip3 install -r requirements.txt`, which normally fetches packages from external registries over the network. This is dangerous because it misleads users about the trust boundary and supply-chain exposure, potentially causing them to run networked installation steps under a false assumption of full locality and privacy.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The manifest explicitly claims '100% local processing' while also exposing a 'fetch' script and pointing to a repository associated with usage/cost monitoring, which suggests network-backed or externally sourced data may be involved. This discrepancy is security-relevant because users may grant trust, install, or run the skill under a false privacy assumption, increasing the risk of unintended data disclosure or deceptive behavior.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
A standalone usage-fetching capability is broader than the stated purpose of local visualization/reporting and creates an undocumented data acquisition path. In a privacy-sensitive analytics skill, unexplained fetching behavior can expand attack surface, surprise users, and enable collection or transmission of usage metadata beyond what the manifest implies.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file-level behavior contradicts the skill's stated '100% local processing' privacy posture by automatically performing a sync/fetch step unless the user opts out. This is dangerous because users may reasonably trust the manifest and unknowingly trigger network access or data transfer through the delegated fetch script, undermining informed consent and the stated trust boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
By default, the runner launches fetch_usage.py before generating a report, introducing a network-capable or data-collection action that is not justified by a purely local visualization description. In security-sensitive tooling, hidden or surprising capability expansion is risky because it can enable unintended exfiltration, broaden the attack surface, and defeat user expectations about offline-only operation.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script accepts a user-controlled output path or OPENCLAW_WORKSPACE-derived directory, then creates predictable temporary files there and later unlinks them. This can overwrite existing files or delete attacker-chosen targets if the path points to an unexpected location or if symlinks are present, especially when the script runs with more privilege than the caller expects.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0
html2image>=2.0.0
Pillow>=10.0.0
Confidence
93% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0
html2image>=2.0.0
Pillow>=10.0.0
Confidence
89% confidence
Finding
html2image>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0
html2image>=2.0.0
Pillow>=10.0.0
Confidence
92% confidence
Finding
Pillow>=10.0.0

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
pyyaml

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
Pillow

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal