ClawHub

Manusilized

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Ollama core-runtime patch, but it asks users to overwrite OpenClaw agent files and changes how model text can become executable tool calls.

Treat this as a core OpenClaw patch, not a normal skill. Install only in a separate or backed-up checkout after reviewing the diff, verifying the exact source and supported OpenClaw version, and confirming you are comfortable with automatic Markdown-to-tool-call behavior and with sending prompts and headers to the configured Ollama endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code allows the effective Ollama base URL to be selected from caller-controlled `providerBaseUrl` or `modelBaseUrl`, and later sends the full chat payload, tool definitions, optional custom headers, and potentially a bearer API key to that resolved endpoint. This creates an SSRF/data-exfiltration pathway: if an attacker can influence configuration, they can redirect sensitive prompts, tool schemas, and credentials to an attacker-controlled server.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The fallback logic interprets model-generated markdown/JSON in assistant text as structured tool calls and converts it into `tool_calls` that the rest of the pipeline may execute. This breaks the trust boundary between plain model text and explicit structured tool invocation, enabling prompt injection or model misbehavior to trigger unintended tool execution such as shell, network, or file operations.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The code streams raw assistant content immediately as `text_delta`, then only later strips markdown tool-call JSON from the final message. That means users or downstream consumers may already receive and act on the raw embedded tool-call payload before cleanup, increasing the chance of prompt leakage, confusing UX, or accidental execution by clients that inspect streamed text.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal