ClawHub

每日学习卡片

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent learning-card purpose, but it handles chat history with recurring automation, external transmission, hard-coded delivery targets, and weak disclosure.

Review before installing. Only use this if you are comfortable with your OpenClaw chat history and learning notes being stored locally, summarized by recurring jobs, sent to Feishu, and sent to third-party AI endpoints. Replace or remove hard-coded Feishu targets and API keys, require HTTPS for AI calls, configure explicit approved recipients, and add retention/redaction controls before using it with sensitive conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script persists generated markdown files that include both AI-derived summaries and raw conversation excerpts. This expands the data-retention surface beyond transient analysis, increasing the chance of sensitive chat content being exposed through local file access, backup systems, or later unintended reuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes automatic collection of conversation content, transformation into structured memory, generation of files, and delivery to Feishu, but it does not present any privacy notice, consent requirement, retention policy, or warning about potentially sensitive data being processed and transmitted. Because the skill aggregates user conversations across channels and stores them in dated files, users may unknowingly expose confidential or personal information to local storage and third-party messaging systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes automatic collection and processing of conversation records from multiple channels, but it does not provide a clear privacy warning, consent flow, retention statement, or scope limitation. Because the data source is personal chat history across Feishu/WebUI/DingTalk/WeCom/QQ, users may unknowingly expose sensitive or regulated information to automated extraction and summarization.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow says the agent will write configuration files and create recurring cron jobs automatically after a brief Q&A, without a strong warning that persistent system changes will be made. This is risky because it establishes ongoing background execution and message delivery, which can continue collecting and sending summaries after the initial interaction, potentially surprising the user and expanding blast radius if misconfigured.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically sends extracted learning summaries to a hard-coded or config-supplied Feishu target without any interactive confirmation, explicit consent check, or validation that the recipient is authorized. Because the content is derived from the user's memory/workspace files, this creates a real data-exfiltration risk if the target is misconfigured, maliciously changed, or if the skill is installed without the user understanding the outbound messaging behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script captures all stdout/stderr from the Node subprocess and writes it verbatim to a persistent log file. Because this job processes 'memory' content, the output may contain sensitive personal notes, prompts, model responses, or error traces, creating an avoidable data disclosure risk to anyone with log access or through later log collection/backup systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Conversation contents are packaged into a prompt and sent to another agent process without any visible consent, warning, or data-classification control. Even if the agent is local, this crosses a trust boundary and may expose sensitive user messages to another component with its own logging, storage, or network behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes memory files containing analyzed content and raw conversation excerpts to persistent storage without informing the user. Persistent storage of chat-derived data materially increases privacy risk because files may be readable by other users, indexed, synced, or retained indefinitely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script sends potentially sensitive study records, concepts, pitfalls, and session content to a remote service over plain HTTP, which provides no transport encryption or peer authentication. An attacker on the network path could intercept or modify prompts and responses, causing data leakage and content tampering.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live-looking fallback API key is hardcoded in source, meaning anyone with access to the code can extract and abuse the credential. This can lead to unauthorized API use, billing fraud, service abuse, and potentially broader compromise if the same credentialing practices are reused elsewhere.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script reads detailed local workspace data, including topics, pitfalls, concepts, quotes, decisions, and session history, then embeds that raw content into a prompt sent to a remote AI endpoint. This creates a clear confidentiality risk because potentially sensitive personal or organizational information is exported off-host without explicit consent, minimization, redaction, or prominent disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code contains a hardcoded fallback API key, which is a credential exposure issue even if an environment variable can override it. Anyone with access to the source can reuse the secret to access the external service, incur cost, impersonate the application, or pivot into associated systems depending on the provider's trust model.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads conversation data from a local session directory and emits full user/assistant message contents to stdout as JSON, which can expose sensitive prompts, secrets, personal data, and internal context to terminals, logs, pipes, or downstream tools. In an agent skill context, session transcripts are especially sensitive because they may contain credentials, system prompts, or cross-channel private conversations, so unguarded bulk output increases confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads the full local memory file and sends its contents to DashScope for LLM processing, but provides no explicit consent flow, warning, redaction, or policy check before transferring potentially sensitive personal or organizational data off-host. Because these files appear to contain conversation memories, they may include secrets, personal data, internal decisions, or confidential notes, making silent external transmission a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends generated exam content to a hard-coded external Feishu target without any validation, minimization, or user-visible consent. Because the content is derived from extracted weekly learning data, this creates a real risk of unintended disclosure of internal or personal information to an external messaging destination.

Ssd 3

Medium
Confidence
92% confidence
Finding
The prompt explicitly instructs the agent to extract and preserve 'golden quotes,' i.e., verbatim user utterances. Preserving direct quotes increases the likelihood that sensitive, identifying, or confidential language is copied into durable outputs, making privacy leakage more severe than a high-level summary would be.

Ssd 3

Medium
Confidence
97% confidence
Finding
The generated memory content embeds a raw conversation excerpt inside the persistent markdown output. This directly stores source dialogue rather than just derived insights, increasing the chance of exposing credentials, personal data, or confidential discussions through local access, backups, or later sharing of the file.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal