ClawHub

Openclaw Skill Marketplace

Security checks across malware telemetry and agentic risk

Overview

This marketplace skill appears purpose-built for discovering and installing OpenClaw skills, but its security documentation understates network use and local changes.

Install only if you are comfortable with a marketplace helper that can contact ClawHub, run npx clawhub commands, write synced metadata, and install additional skills into your OpenClaw skills directory. Review any skill name before installing it, and treat installed third-party skills as separate code you must trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 使用 ClawHub CLI 安装
    try:
        log_info("调用 ClawHub CLI 安装...")
        result = subprocess.run(
            ['npx', 'clawhub', 'install', skill_name],
            cwd=str(skills_dir),
            timeout=120
Confidence
85% confidence
Finding
result = subprocess.run( ['npx', 'clawhub', 'install', skill_name], cwd=str(skills_dir), timeout=120 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that include local file access, file writes during installation, and shell execution via `npx clawhub install`, yet no explicit permissions are declared. This creates a transparency and policy-enforcement gap: users and host platforms may underestimate what the skill can do, increasing the risk of unintended code execution or filesystem modification when the install flow is used.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The README's security section makes a materially inaccurate claim about which scripts are included, omitting recommend.py and search-enhanced.py even though they are documented elsewhere in the same file. This can mislead users performing a security review into inspecting only a subset of the skill's functionality, reducing transparency and potentially hiding risky behavior in undocumented scripts.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The security section claims there is no external code download and no remote script execution, but elsewhere the skill states that `install.py` invokes `npx clawhub install`, which downloads and installs external skills. Misstating this behavior can mislead users into trusting an operation that pulls untrusted or insufficiently reviewed code into their environment.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation says all operations are local, no data is uploaded, and the scripts do not need network access, while also acknowledging that installation uses `npx clawhub install` and that browsing/syncing from ClawHub exists. These contradictory assurances reduce informed consent and may cause users to run networked actions under false assumptions about privacy, provenance, and exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal