ClawHub

OpenClaw 晴晴终极套件

Security checks across malware telemetry and agentic risk

Overview

This skill bundle is broadly useful but combines account automation, external data sharing, workspace mutation, and background recovery with insufficient limits and user controls.

Review this before installing as a high-authority automation bundle, not a simple productivity skill. Keep auto-activation, Guardian rollback, Feishu delivery, social publishing, browser-cookie crawling, public search fallback, and remote IronClaw scanning disabled unless you explicitly need them, and use it only in a workspace where automatic edits and resets are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (122)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises broad capabilities via metadata and documented behavior, including environment access, file access, networking, and shell-like installation/automation flows, but does not declare an explicit permission model. That creates a trust and review gap: users cannot clearly assess what the suite may read, modify, or transmit before installation, especially because it aggregates many sub-skills and scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents the package as a productivity/security mega-suite, but the detected behavior includes repository mutation, gateway/process management, remote scanning, deployment automation, social publishing, local installs, and workspace rewriting. This mismatch is dangerous because users may authorize the suite expecting assistance features while it performs privileged actions that can alter local state, exfiltrate content to third parties, or publish externally.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document repeatedly markets security scanning as '免费安全' with '100% 通过率', which is misleading because a scanner cannot guarantee safety or universal pass results. Users may place unjustified trust in the suite, lower their guard, and deploy or share sensitive prompts and outputs under a false sense of protection.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The marketing claims '本地执行,无需 API,隐私保护' for security while elsewhere promoting a cloud-first multi-model architecture. This contradiction can mislead users into believing prompts and data stay local when they may actually be sent to remote services, creating privacy and compliance risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document repeatedly claims the security scan has a 100% pass rate, while the same file later says scanning is still in progress. This is a trust and integrity issue: users may rely on unverified security assurances when deciding to install or promote the skill, reducing scrutiny and increasing the chance of unsafe adoption.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The release timeline says GitHub Release and ClawHub launch are already completed, but the checklist marks the GitHub Release as still pending. While less severe than false security claims, this inconsistency can mislead users and reviewers about what artifacts are public and verified, weakening release governance and auditability.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The marketing copy claims the suite is 'local/no API required' while other parts describe cloud-first model usage, creating a misleading security and privacy representation. Users may rely on false assumptions about data locality and transmission, which can lead to unintended disclosure of prompts or sensitive business information to remote services.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script markets 'free local security scanning', 'no API required', and strong privacy guarantees while the broader workflow explicitly references cloud-hosted models. That mismatch can cause users to make unsafe trust decisions about where data is processed, potentially leading them to expose sensitive code or documents under a mistaken belief that everything remains local.

Scope Creep

Medium
Confidence
91% confidence
Finding
The skill's documented workflow writes screenshots, summaries, logs, and scheduler artifacts to disk, but the declared allowed-tools only mention browser-use, echo, and date. This mismatch weakens permission transparency and can mislead reviewers or downstream enforcement about the skill's true data-handling behavior, especially when handling mailbox contents.

Scope Creep

Medium
Confidence
84% confidence
Finding
The skill automates access to external email providers and relies on live authenticated sessions, but the manifest does not clearly disclose network/data-access scope beyond browser-use. For a mailbox-reading skill, undeclared external access materially increases risk because sensitive communications may be retrieved without explicit, reviewable capability boundaries.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script goes beyond passive monitoring and performs destructive recovery on a user workspace by automatically selecting a commit and issuing a hard reset. In a background guardian process, this can erase uncommitted work or revert legitimate changes without user approval, making the behavior materially risky even if framed as self-healing.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The function automatically chooses a prior commit and executes `git reset --hard`, which destroys working tree and index changes. Because this is triggered by service-health failures rather than an authenticated maintenance workflow, a transient or induced gateway failure could cause loss of user data and rollback of unrelated workspace state.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script sends raw file contents, commands, and messages to a third-party endpoint at ironclaw.io for analysis. This creates a real data exposure risk because scanned inputs may contain proprietary code, credentials, personal data, or sensitive prompts, and the external transmission is not clearly disclosed in the script behavior or manifest context provided.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The audit log field named timestamp stores the user's home directory path string instead of an actual time value. This both leaks unnecessary environment information into logs and undermines audit integrity by making records misleading and harder to investigate correctly.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README explicitly promotes stealth browsing, Cloudflare/anti-bot bypass, and local Chrome use as core features of a search skill. Those capabilities materially expand the skill from ordinary search into access-evasion behavior, which can facilitate scraping behind defenses and create legal, abuse, and detection-risk concerns in agentic environments.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README explicitly advertises stealth and anti-bot bypass capabilities such as Cloudflare Turnstile evasion and stealth browsing modes. For a web-search skill, this expands behavior into accessing protected sites in ways that may violate site controls, increasing legal/compliance risk and enabling misuse beyond ordinary retrieval.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The README states the tool will automatically detect and use proxies from environment variables or common local ports. Silent proxy discovery can route traffic through unintended intermediaries, changing trust boundaries and potentially exposing queries or fetched content without clear user awareness.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The docstring claims the skill is '100% free and private,' but the code explicitly falls back to a public SearXNG instance and uses browser-mimicking behavior including realistic headers, referer spoofing, proxy support, and optional TLS verification relaxation for local MITM proxies. This can mislead users and downstream agents into sending potentially sensitive search terms off-host under false privacy assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script does more than install a local web-search skill: it persistently copies files into the user's workspace, modifies shared AGENTS.md and TOOLS.md instruction files, and changes global agent behavior. This creates a supply-chain style trust boundary issue because a narrow-purpose skill can silently alter broader workspace behavior beyond what a user would reasonably expect from a web-search component.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Rewriting shared AGENTS.md and TOOLS.md files and then restarting the openclaw gateway gives this script persistent influence over agent instructions and runtime behavior. For a web-search skill, this is an unjustified privilege expansion that could be abused to steer future agent actions, override defaults, or silently activate capabilities across unrelated tasks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The auto-activation rules use very generic trigger words such as '开发', '产品', '网站', and similar broad terms, which can easily appear in ordinary conversation. In a skill suite that can activate multiple agents and downstream integrations automatically, this creates a real risk of unintended tool execution, task initiation, or data movement without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Several other scenario rules rely on commonplace keywords like '搜索', '数据', '内容', '天气', and '邮件', without clear boundaries, consent checks, or separation between informational requests and action-taking workflows. Because the suite includes scraping, publishing, calendaring, and notification capabilities, ambiguous activation expands the chance of unintended external actions or privacy-impacting operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises automatic file delivery and Feishu notifications as part of recommended workflows, but does not clearly warn users that content may be transmitted to external services. In a system handling documents, reports, or generated outputs, silent or poorly disclosed outbound sharing can expose sensitive internal data to third-party platforms.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The suite promotes social publishing and data collection capabilities such as Xiaohongshu automation and TikTok crawling without corresponding warnings about account actions, scraping risks, privacy implications, or platform policy violations. In context, these are not purely passive features; they can affect external accounts and collect third-party data, which raises meaningful security and compliance concerns if invoked without clear safeguards.

Vague Triggers

High
Confidence
95% confidence
Finding
The auto-activation triggers are generic everyday words such as '开发', '产品', '分析', '文档', '邮件', and '搜索', making accidental invocation likely during ordinary conversation. In a suite that can activate networked, file-mutating, or externally integrated sub-skills, broad triggers increase the chance of unintended data access, message delivery, or task execution without meaningful user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal