ClawHub

Chat Ask

Security checks across malware telemetry and agentic risk

Overview

This is a simple local demo chat skill with reliability and privacy caveats, but no evidence of malware, credential access, network activity, or hidden persistence.

Install only if you want a basic local chat/ask demo. Do not treat its history output as a real audit trail, and avoid sending secrets or sensitive personal data because prompts may be printed to local stderr logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
When history is empty, normal `get` and `summary` operations silently inject synthetic messages into the chat log, causing the tool to return fabricated conversation data instead of faithfully reporting stored history. In a chat-history skill, this is security-relevant because downstream agents or users may trust the returned history for context, auditing, or decision-making, creating integrity issues and possible prompt/context contamination.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The documentation presents history management as a normal feature but does not prominently warn that one action permanently clears conversation history. In an agent context, destructive operations without clear warning or confirmation can cause loss of user data, audit trail removal, or make prompt-injection cleanup attacks easier to disguise.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The tool descriptions and names use very broad, natural-language phrasing such as 'chat', 'ask', 'Start or continue a chat conversation', and 'Ask a question to OpenClaw'. In agentic environments that route tool calls from semantic similarity or user phrasing, such generic triggers can cause unintended invocation during ordinary conversation, potentially exposing chat history actions or sending unintended content to the tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool writes the full user-supplied question to stderr, which can expose sensitive prompts, secrets, personal data, or operational details in logs without the user's knowledge. In an agent/assistant context, users may reasonably submit confidential content, so routine logging of raw questions increases privacy and data leakage risk wherever stderr is collected, persisted, or monitored.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal