ClawHub

OpenClaw Glasses (多源搜索+意图感知+权重自适)

Security checks across malware telemetry and agentic risk

Overview

This is a real search and research skill, but it can reuse local credentials and perform broad external fetching without clear opt-in boundaries.

Install only if you are comfortable with a search tool that can call several external providers, reuse local OpenClaw search credentials, and automatically use GitHub credentials found on the machine. Prefer low-scope dedicated API keys, avoid sensitive private URLs or confidential queries, and review recursive fetching behavior before using deep thread-pulling features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable capabilities involving environment access, file read/write, and network use without any declared permissions or clear scoping. That creates a transparency and policy-enforcement gap: users and the host agent may invoke a skill that can access credentials, local files, or external services more broadly than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior frames the skill as a search/reranking layer, but the actual capability set extends into recursive crawling, thread harvesting, structured extraction, knowledge-state updates via LLM, and GitHub token discovery from environment variables and ~/.git-credentials. This mismatch is dangerous because it conceals materially more invasive data access and processing than a user or orchestrator would reasonably expect from a search skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The tracker recursively follows links discovered in fetched content, expanding from seed URLs into arbitrary third-party domains. In a search-layer skill this increases the attack surface for unintended network access, SSRF-like behavior against internal resources if reachable, and collection of untrusted content beyond what a user likely expects from a simple lookup flow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill automatically discovers GitHub credentials from environment variables and the user's ~/.git-credentials file even though its stated role is search/retrieval. That creates unnecessary access to secrets and silently upgrades ordinary URL fetching into authenticated requests, which can expose private repository metadata or use credentials without user awareness.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims to be a search-layer tool, but it also fetches arbitrary result URLs and extracts references from remote pages and GitHub threads. This expands its capability from retrieval/ranking into active remote-content ingestion, increasing SSRF-style exposure, privacy risk, and attack surface without clear separation or user warning.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
GitHub issue/PR retrieval is a materially different capability from search aggregation and can pull large amounts of remote user-generated content. In skill context, this broader fetching behavior is more dangerous because it is hidden behind a search-oriented description and may surprise users or calling agents.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The code reads local credential files, OpenClaw config, and environment variables to automatically reuse unrelated provider settings. In an agent-skill context, this is risky because it broadens secret access beyond the declared inputs and can silently enable outbound transmission to third parties using ambient credentials.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is extremely broad ('use when' for web search, deep research, latest status/news, comparisons, resources, Chinese-language search, and realtime market data), which increases the chance of automatic invocation in situations where the user did not intend multi-provider transmission or deep retrieval. In context, that is more risky because this skill also appears to support expansive networked collection and follow-up fetching.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes multi-source aggregation across several external providers but does not warn that user queries and possibly derived subqueries may be sent to multiple third parties. This creates a privacy and data-governance risk, especially for sensitive prompts, proprietary research topics, or identifiers embedded in search queries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Fetched page bodies and comment text are embedded into an LLM prompt, which can transmit third-party content to an external model provider. That creates data handling and privacy risk, especially if crawled pages contain sensitive, copyrighted, access-restricted, or user-unexpected content, and the file provides no disclosure or minimization beyond simple truncation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code uses GitHub tokens from local secrets sources without any user-facing notice, consent, or logging. In an agent skill, this is dangerous because users may believe the tool performs anonymous web retrieval while it actually consumes local credentials and may access different data or send authenticated requests off-host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends the user's query, knowledge_state, and candidate link context to an external LLM service without any explicit disclosure, consent flow, or data minimization. Because knowledge_state and candidate context may contain sensitive user data, this creates a real privacy and policy risk even if the transmission is functionally required for relevance scoring.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User queries are sent to multiple external providers, potentially including finance, status, and research queries that may contain sensitive or proprietary content. In this skill context, the danger is elevated because the whole purpose is broad multi-provider fanout, yet there is no user-facing disclosure or consent boundary in code.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The --extract-refs path fetches arbitrary URLs and GitHub issue/PR content without warning the user that the tool will perform additional network access beyond search. This can expose browsing intent, fetch attacker-controlled pages, and unexpectedly ingest external content into the agent workflow.

Ssd 4

Medium
Confidence
91% confidence
Finding
Untrusted anchor text and page context are interpolated directly into a single natural-language prompt, allowing prompt injection from retrieved content to influence the model's scoring decisions. An attacker can craft link text or snippets that bias the model into over-scoring malicious or irrelevant links, degrading search integrity and potentially steering downstream retrieval toward unsafe content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal