ClawHub

Byted Security Clawsentry

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw security-plugin installer, but it performs account linking, device fingerprint transmission, credential storage, background polling, and service restarts without enough user-facing scope detail.

Install only if you trust this publisher and the Volcengine/Omni Shield service, and you are comfortable with machine fingerprinting, remote login, local credential storage, automatic plugin configuration changes, a temporary detached polling process, and an OpenClaw gateway restart. Review and remove .state/login_state.json and poll_login.log after setup if you proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill goes beyond installation by orchestrating user login and requiring post-login monitoring logic for up to 10 minutes. This broadens the trust boundary from local setup into account workflow control and persistence behavior, creating opportunities for covert state tracking and unintended background activity not necessary for basic configuration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions require repeated process checks and automatic restarting of a login-token process based on local state. This effectively grants the skill a persistence and self-recovery pattern that is not justified by simple plugin installation, and could be abused to keep background processes alive, continue remote communication, or mask failures from the user.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill stores login state in a local JSON file and writes an encrypted API key into plugin configuration, which expands the attack surface beyond simple installation. Even though the API key is encrypted, the same script controls the encryption method and uses the device fingerprint as input, so local compromise or predictable recovery paths may expose credentials and create persistence that users may not expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script derives a persistent machine fingerprint using the system machine ID and sends it in request headers for remote authentication. A stable device identifier is sensitive because it enables long-term tracking and correlation of user activity across sessions and is not necessary for a basic local plugin install unless clearly justified and consented to.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill stores login state in a local JSON file and writes an encrypted API key into plugin configuration, which expands the attack surface beyond simple installation. Even though the API key is encrypted, the same script controls the encryption method and uses the device fingerprint as input, so local compromise or predictable recovery paths may expose credentials and create persistence that users may not expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that after user authorization, OpenClaw will automatically complete the remaining installation and configuration steps, but it does not clearly describe what system changes will occur, what components will be installed, or what permissions are required. For a security-related skill that installs plugins and modifies an environment, this lack of transparency can lead users to approve impactful changes without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The machine fingerprint is collected and transmitted automatically without a clear user-facing warning or consent checkpoint at the moment of collection. In an installer-style skill, undisclosed hardware or system identification is particularly concerning because users reasonably expect local setup actions, not silent device tracking for remote authentication.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes an API key into plugin configuration after remote login without an explicit warning that credentials will be stored locally. This is risky because configuration files are commonly less protected than dedicated secret stores, and users may not realize the installer is persisting access credentials that could be reused if the host is compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal