ClawHub

CEO小茂能力包

Security checks across malware telemetry and agentic risk

Overview

This is a coherent sales-automation skill, but it can automatically monitor contacts, send messages and files, call external agents, and retain customer data with limited safeguards.

Install only if you intend to run a sales/outreach automation tool. Use dedicated revocable credentials, a controlled workspace, a small approved contact list, and review all templates, product files, logs, and the configured OpenClaw agent permissions before enabling auto-reply or batch sending on a real business account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
    try:
        openclaw_bin = shutil.which('openclaw')
        result = subprocess.run(
            [openclaw_bin, 'agent', '--agent', AI_AGENT,
             '--message', prompt, '--timeout', '40'],
            capture_output=True, text=True, timeout=50
Confidence
92% confidence
Finding
result = subprocess.run( [openclaw_bin, 'agent', '--agent', AI_AGENT, '--message', prompt, '--timeout', '40'], capture_output=True, text=True, timeout=50

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ai_generate_reply(prompt_text):
    try:
        openclaw_bin = shutil.which('openclaw')
        result = subprocess.run(
            [openclaw_bin, 'agent', '--agent', AI_AGENT,
             '--message', prompt_text, '--timeout', '25'],
            capture_output=True, text=True, timeout=35
Confidence
92% confidence
Finding
result = subprocess.run( [openclaw_bin, 'agent', '--agent', AI_AGENT, '--message', prompt_text, '--timeout', '25'], capture_output=True, text=True, timeout

Tainted flow: 'url' from os.environ.get (line 133, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def download_file(url, save_path):
    try:
        r = requests.get(url, timeout=60, stream=True)
        if r.status_code == 200:
            with open(save_path, 'wb') as f:
                for chunk in r.iter_content(8192): f.write(chunk)
Confidence
98% confidence
Finding
r = requests.get(url, timeout=60, stream=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and orchestrates powerful capabilities including environment-variable access, file read/write, shell execution, network access, and outbound communications, but does not declare permissions or present a clear trust boundary. In an agent ecosystem, this weakens reviewability and user consent, making it easier for a skill to exfiltrate secrets, modify local state, or send external messages without the user fully understanding the scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code sends all configured catalog files on every incoming text message, regardless of whether the customer requested them. In a messaging automation context, this can leak sensitive sales materials, create spammy behavior, and trigger unintended file transmission to arbitrary contacts.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script enumerates all chats, discovers new contacts automatically, and persistently adds them to its monitoring set. This materially expands surveillance and automated engagement beyond a simple auto-reply assistant, increasing privacy risk and the chance of unsolicited contact or accidental monitoring of unrelated conversations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown promotes email and WhatsApp sending workflows, including batch dispatch and conversation automation, without an explicit warning that customer data, message content, attachments, and contact identifiers will be transmitted to third-party services. In this business-prospecting context, the omission increases the risk of accidental data leakage, unauthorized outreach, spam/compliance violations, and unintended external actions by users or agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Customer chat content, attachments, and product materials are transmitted to external services, but the code contains no user-facing notice, consent mechanism, or operator disclosure. In a business messaging context, this can expose sensitive customer communications and files to third-party processors without adequate transparency.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The script writes recipient email addresses and send results to a local CSV log, creating a persistent record of personal contact data that may be accessible to other users or processes on the host. While not covertly malicious, this can cause unnecessary exposure of PII and campaign metadata if the log file is left unprotected or shared.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script transmits phone numbers and message contents to an external WhatsApp gateway, but it does not enforce transport security or provide any user-visible disclosure about that transfer. If GREEN_API_URL is configured with HTTP or an untrusted endpoint, sensitive recipient and message data could be exposed in transit or sent to an unintended service.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script transmits phone numbers and message bodies from a CSV to a third-party WhatsApp API without any confirmation prompt, disclosure, or safeguards around sensitive contact data. In a business-contacting skill, this is contextually more dangerous because it processes potentially large batches of personal or commercial outreach data, making accidental privacy violations or misdirected bulk messaging more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script creates a local log file containing phone numbers and API responses without warning the user or minimizing sensitive data. Those logs can persist on disk, be copied into backups, or be read by other local users or processes, exposing contact information and operational metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal