ClawHub

Growth Engineer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real growth-analytics automation skill, but it bundles broad install, scheduling, credentialed account, GitHub-write, and sudo-capable host changes that should be reviewed before use.

Install only in a dedicated workspace or VPS you are comfortable modifying. Review the generated config before enabling cron, GitHub issue/PR creation, custom command collectors, webhooks/Discord, ASC setup, self-update, or the isolated secret runner. Use least-privilege tokens, prefer read-only provider scopes until write actions are needed, and do not run the sudo or remote-install paths without manual operator review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (42)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation broadens the skill from proposal drafting into scheduled runtime execution and artifact delivery behavior, including issue/PR-oriented operation modes. That creates capability expansion beyond the stated purpose, which can surprise operators and increase the chance of unattended actions in repositories or chat systems.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This line explicitly directs automatic creation of GitHub issues or implementation PRs when write access is available, which is a materially stronger action than draft proposal generation. In a live agent environment, that can lead to unauthorized or low-confidence code changes, repo spam, or operational disruption if signals are noisy or misinterpreted.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script is a live Discord bridge that can post outbound messages to external channels and continuously poll for replies, which is materially broader than the declared growth-analysis/proposal-drafting purpose. In an agent skill context, this creates an unannounced data egress and remote interaction path that could expose internal prompts, analytics, or repository context to third-party services.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code retrieves a Discord bot token from the environment and uses it to authenticate outbound API calls, enabling the skill to act as a live bot. In this context, the issue is not mere environment-variable usage by itself, but that credentialed external messaging capability is inconsistent with the stated role and enables unauthorized communication if the skill is invoked with sensitive data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer persistently edits multiple shell startup files to change PATH, which is a privileged user-environment modification that outlives the current install session. In the context of a growth-analysis/proposal-drafting skill, this persistence is not clearly necessary, expands the script's blast radius, and can cause unintended command resolution changes in future shells.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The preflight routine is not validation-only: it runs `npm install -g`, creates directories, mutates `PATH`, and persists changes into shell profile files. In an agent skill context, a user may invoke preflight expecting a harmless check, but this code changes the host environment and installs a preview package from the network, creating supply-chain and integrity risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
During connection checks, the script executes commands taken from configuration via `runShell(... shell -c ...)`, including custom source commands. If an attacker can influence config, they can achieve arbitrary command execution on the host under the user's privileges, which is especially dangerous because this is framed as a preflight smoke test.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The runner can autonomously update the installed skill via `npx clawhub ... update`, run a bootstrap script from the updated skill, and then restart itself. That gives a growth-analysis runner a software supply-chain and self-modification capability well beyond its stated role, so a compromised package source, malicious update, or misconfigured workspace could replace runtime code and execute attacker-controlled logic.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The notification delivery path supports arbitrary configured shell commands and executes them with inherited environment variables via `runShellCommand`. Because notifications include generated findings and the process environment may contain tokens/secrets, a malicious or unsafe config can turn a simple alert channel into arbitrary code execution and data exfiltration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Source collection and chart generation can run arbitrary shell commands from configuration, including custom source commands and charting commands. In a scheduled unattended runner, this effectively gives the skill remote-code-execution behavior under the runner's privileges, which is broader than the declared analytics-correlation purpose and can be abused to modify files, access repos, or exfiltrate secrets.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This shared module materially exceeds the declared growth-analysis/proposal-drafting role by creating, inspecting, verifying, editing, and repairing OpenClaw and Hermes cron installations plus local scheduler state. In an agent-skill context, that scope expansion increases the chance of unauthorized persistence and background execution, especially because the functions can be reused elsewhere to silently install or maintain scheduled jobs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The module can directly modify local OpenClaw cron job store files via repairOpenClawCronDeliveryStore, changing scheduler behavior outside normal CLI workflows. Direct file-level repair of scheduler state is dangerous because it enables stealthy persistence or delivery-target manipulation without a clear user-facing confirmation, and bypasses higher-level validation controls that the scheduler CLI might enforce.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code infers GitHub write capability from environment variables and repository configuration, then may auto-enable issue or pull-request creation. In this skill's context, that broadens the role from drafting proposals to potentially taking write actions against external systems, which can cause unintended repository changes if the environment is more privileged than expected.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This bootstrap script performs broad host mutation well beyond a growth-analysis skill: it installs packages, edits shell profiles, mutates PATH, downloads binaries, and configures local tooling. In an agent-skill context, that scope expansion is dangerous because invoking the skill can unexpectedly change the execution environment and persist changes across future sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script provisions and repairs OpenClaw and Hermes cron jobs, which alters scheduler infrastructure rather than merely correlating growth signals. That increases risk because a user invoking a data-analysis skill may unknowingly grant it long-lived autonomous execution.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The ASC setup creates ongoing analytics report requests in App Store Connect, which is an account-side write action requiring elevated privileges. For a growth-engineering skill, this exceeds expected read-only telemetry collection and can create persistent external-side changes without clear consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The ASC connector fallback executes a remote install script fetched over the network and pipes it directly to bash. This is a classic supply-chain and remote-code-execution risk because any compromise of the remote endpoint, DNS, or transport chain results in arbitrary code execution on the host.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script uses `/bin/sh -lc` to execute dynamically constructed commands, including repo paths, config paths, CLI invocations, and a preview package-managed tool path. Although some arguments are quoted, invoking a shell at all for health checks increases command-injection and unintended-execution risk, especially if environment variables, filesystem layout, or dependent scripts are attacker-controlled.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This status script performs account-wide App Store Connect enumeration and analytics readiness assessment across accessible apps, which exceeds a narrow health-check role and can reveal broader tenant state than necessary. In an agent skill context, this expands the data-access blast radius and may expose organizational inventory and setup gaps without explicit scope minimization.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The wizard performs a network-based self-update via `npx clawhub ... update`, bootstraps workspace runtime files, and then re-execs itself. That gives this script authority to replace its own code and local workspace content during normal setup, which is far beyond a configuration wizard and creates a supply-chain/self-modification risk if the package source or update path is compromised.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script installs or reconfigures OpenClaw and Hermes cron/scheduler jobs from an interactive wizard. Persistently changing host automation expands the blast radius from local setup into recurring code execution, so a compromised or buggy wizard can establish long-lived execution on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code downloads a GitHub CLI release from the network, extracts it, installs it into `~/.local/bin`, and edits shell profile files to prepend PATH. This is a host-modifying supply-chain action that persists beyond the tool run and could install a malicious binary if the download channel or release metadata is compromised.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
This code generates a root-executed install script that creates service users, writes wrappers into `/usr/local/bin`, and creates `NOPASSWD` sudoers entries allowing an agent user to execute commands as another user. Even though framed as secret isolation, it introduces privileged persistence and delegated execution that could be abused for lateral movement, policy bypass, or durable host compromise if the wrapped commands or config become attacker-controlled.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The wizard provisions recurring automation for OpenClaw/Hermes, effectively turning a setup flow into a persistence mechanism. In the context of an agent skill advertised as analytics correlation and proposal drafting, silently establishing scheduled execution is materially more dangerous than its stated purpose.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Using generic triggers like "setup" can cause the skill to activate on ordinary conversation and start directing installation or configuration flows unexpectedly. In a skill that can install software, modify files, and guide secret handling, overly broad invocation materially raises the chance of unintended privileged actions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal