ClawHub

OpenClaw SubAgents Creator

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is not deceptive, but it guides users to create persistent autonomous OpenClaw agents with broad tool, network, memory, and database authority without enough approval and shutdown guardrails.

Install only if you intentionally want persistent OpenClaw subagents. Before using it, decide which agents may run, which credentials and tools they receive, what database changes require human approval, whether web access is allowed, what memory may be stored, and how to stop cron jobs, gateway processes, pm2 notification loops, and spawned sessions. Use least-privilege auth profiles, restrictive allow/deny lists, sandboxing, timeouts, and regular review of memory and session files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill gives conflicting security-relevant guidance about whether subagents can access `sessions_spawn`: one section shows subagents using it directly, while the depth table says it is blocked for all subagents by default. In an agent-executed workflow, this ambiguity can cause operators or downstream systems to overgrant spawning privileges, enabling unintended recursive delegation, weaker oversight, and broader tool exposure than intended.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description is extremely broad, covering nearly any task related to OpenClaw setup, management, architecture, identity, memory, and spawning. Over-broad routing criteria can cause the skill to be invoked in situations where the user did not clearly request configuration changes or automation, increasing the chance that file edits, daemon startup, or subagent orchestration actions are proposed or performed prematurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions direct modification of `~/.openclaw/openclaw.json` and creation of multiple workspace files without any user-facing warning or confirmation boundary. In practice, that can lead an agent to alter local configuration, agent identity, and memory state on disk in ways the user may not expect, with persistent effects on future runs and tool behavior.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The cron setup section instructs installation of recurring scheduled tasks but does not warn that this creates persistent background automation on the user's system. That omission is dangerous because heartbeats can continue running after the immediate task ends, consuming resources, producing autonomous actions, and changing system behavior over time without clear user acknowledgement.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file explicitly instructs agents to persist long-term facts, lessons learned, and 'People & Context' including user preferences and working style, but provides no guidance on consent, minimization, retention limits, or handling of sensitive data. In a multi-agent system with persistent workspaces, this creates a real privacy risk because personal or behavioral data can accumulate indefinitely and be reused or exposed across sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The operational guidance states that agents have 'Web browser: research and scraping' capability without any warning that using it may contact external services, transmit queries, reveal task context, or trigger collection by third parties. Because this skill is specifically for orchestrating subagents, the omission is more dangerous: multiple agents could perform networked actions or scraping at scale without explicit user awareness or policy constraints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal