ClawHub

Model Switch Notify

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do model-switch notifications, but it persistently stores session metadata in a hard-coded local path that does not match its documentation.

Review before installing. Patch the database path to use the current user’s OpenClaw data directory, confirm the SQLite file permissions, and only use this where storing agent IDs, model names, channel/session IDs, and pending notification text across sessions is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The `list_all` functionality enumerates all persisted agent state, including agent identifiers, model history metadata, channels, and pending notification status, which goes beyond the skill’s stated purpose of notifying the current session user about model switches. In an agent-skill context, bulk enumeration increases cross-session visibility and can leak operational metadata about other agents or users if the command is reachable by unintended callers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `reset_state` function allows deletion of arbitrary agent state by supplying any `agent_id`, which exceeds the narrow notification purpose and can be abused to erase notification history or pending alerts for other agents. In this context, that creates an integrity issue: an attacker or misused integration could suppress future model-switch notifications by clearing stored state.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly documents persistent storage of channel and session identifiers in SQLite, but provides no mention of user notice, consent, retention limits, or access controls. Even though this is documentation rather than executable code, the described design creates a privacy risk because session-linked identifiers can enable tracking and correlation of user activity across conversations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly persists channel and session identifiers in SQLite and reuses them across sessions, but the documentation does not mention user consent, retention limits, minimization, or a privacy notice. Cross-session identifiers can enable tracking, correlation of user activity, and unintended disclosure if the database is accessed by other local users, backups, or adjacent components.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal