ClawHub

Auto-Claw

Security checks across malware telemetry and agentic risk

Overview

Auto-Claw largely matches its WordPress automation purpose, but it grants broad live-site control while its approval and safety controls are weaker than advertised.

Install only in a staging or isolated WordPress environment first. Do not give it production SSH, WP-CLI, web-root, webhook, or vault access until the approval pipeline fails closed, shell command construction is replaced with safe argument lists, live-site defaults are removed, and persistent mu-plugin or publishing actions require explicit user confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (64)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def wp_cmd(args: str) -> tuple:
    """执行 WP-CLI 命令,返回 (stdout, stderr, returncode)"""
    cmd = f"cd {WEB_ROOT} && WP_CLI_PHP={PHP_BIN} {WP_CLI} --allow-root {args}"
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
    return result.stdout.strip(), result.stderr.strip(), result.returncode

def print_header(title):
Confidence
97% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not self.web_root:
            return "", "", 1
        cmd = f"cd {self.web_root} && WP_CLI_PHP={self.php_bin} {self.wp_cli} --allow-root {args}"
        r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
        return r.stdout.strip(), r.stderr.strip(), r.returncode
    
    def _detect_current_cache(self):
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _wp(self, args: str) -> Tuple[str, str, int]:
        cmd = f"cd {self.web_root} && WP_CLI_PHP={self.php_bin} {self.wp_cli} --allow-root {args}"
        r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
        return r.stdout.strip(), r.stderr.strip(), r.returncode
    
    def scan_images(self, max_depth: int = 3) -> List[ImageInfo]:
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not self.web_root:
            return "", "No web root", 1
        cmd = f"cd {self.web_root} && WP_CLI_PHP={self.php_bin} {self.wp_cli} --allow-root {args}"
        r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
        return r.stdout.strip(), r.stderr.strip(), r.returncode
    
    def measure_ttfb(self, url: str) -> float:
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not self.wp_web_root:
            return "", "No web root configured", 1
        cmd = f"cd {self.wp_web_root} && WP_CLI_PHP={self.php_bin} {self.wp_cli} --allow-root {args}"
        r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
        return r.stdout.strip(), r.stderr.strip(), r.returncode
    
    def get_site_url(self) -> str:
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""执行命令。本地模式用subprocess,远程用SSH"""
        if self.ssh_host == "localhost" or self.ssh_host in ("127.0.0.1", ""):
            # 本地模式:直接执行
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
            return result.stdout.strip(), result.stderr.strip(), result.returncode
        else:
            # 远程模式:通过SSH
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            # 远程模式:通过SSH
            full_cmd = f"cd {self.web_root} && {cmd}"
            result = subprocess.run(
                ["ssh", "-i", self.ssh_key, "-o", "StrictHostKeyChecking=no",
                 f"{self.ssh_user}@{self.ssh_host}", full_cmd],
                capture_output=True, text=True, timeout=60
Confidence
98% confidence
Finding
result = subprocess.run( ["ssh", "-i", self.ssh_key, "-o", "StrictHostKeyChecking=no", f"{self.ssh_user}@{self.ssh_host}", full_cmd], captu

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file presents itself as a harmless demo, but it is wired to interact with a real external WordPress site and local web root paths. That mismatch can mislead operators into running it in environments where network access, file inspection, or administrative actions were not expected, increasing the risk of unintended production impact.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This section exposes broad operational capabilities including WordPress management, vault access, gate pipelines, and audit components without narrowing scope or enforcing strong safety boundaries in this script. In an agent skill context, bundling high-privilege administrative and security-framework functions into a general demo increases the chance of misuse, overbroad invocation, or accidental execution against real infrastructure.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The demo claims publishing occurs only after Gate Pipeline approval, but this file directly calls agent.create_post(..., status="publish") without an explicit approval check in the demonstrated flow. In an automation/security-sensitive context, this can mislead operators into believing a safety gate is enforced when the action may execute immediately, increasing the risk of unauthorized or unintended content publication.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script presents itself as a demo/audit tool, but it also produces deployment-ready WordPress mu-plugin code and writes it to disk for later installation. That mismatch is security-relevant because operators may run it expecting passive analysis, while it actually prepares persistent modification artifacts for a live site, increasing the chance of unintended deployment or trust abuse.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code does not merely display sample injection code; it generates a persistent mu-plugin PHP file intended for installation under wp-content/mu-plugins. In a security context, generating installable server-side injection artifacts is materially more dangerous than a transient demo because it creates a ready-to-deploy persistence mechanism that could be misused if schema content or target context is untrusted.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document presents inconsistent safety guarantees: it claims the agent cannot delete and that high-risk actions are blocked, while elsewhere marketing language says the agent autonomously does the work and executes fixes. In a security-sensitive autonomous admin context, contradictory control descriptions can cause operators to overtrust the system, approve unsafe deployments, or misunderstand what actions the agent may actually perform.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents itself as only showing items pending human authorization, yet it also asserts that multiple impactful system and WordPress changes were already completed autonomously. This creates a misleading trust boundary: an operator may believe no privileged or state-changing actions occurred when the script is actually representing prior unsupervised modifications, which can conceal unauthorized changes and reduce informed consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The delete gate is intended to require explicit confirmation, but `_check_delete` returns true when `dangerous` is set, effectively allowing a caller to self-assert risk and bypass confirmation. An attacker or buggy upstream agent can set `params["dangerous"] = True` and have destructive operations approved without the intended safeguard.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The section is labeled as an analytics summary, but it silently performs a state-changing POST to the tracking endpoint. A reporting script should be read-only; hidden writes can corrupt metrics, create misleading audit results, and violate operator expectations about what the script does.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code presents this as a competitor monitor report, but it resets stored state and forces a fresh check by writing to a WordPress option before invoking the check function. This makes the report non-passive and can trigger unexpected network activity, state changes, or load against external targets under the guise of reporting.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code transmits post metadata and a content preview to an externally configured webhook during approval flow. That creates an outbound data exfiltration path for potentially sensitive draft content, and the destination is taken from configuration without any allowlist, trust validation, or explicit user consent in this file.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring claims audit logs are '不可篡改' (tamper-proof), but the implementation only appends JSON lines to a normal local file with no cryptographic integrity checks, append-only enforcement, remote replication, or access controls. This can mislead operators into trusting the audit trail during incident response or compliance review even though anyone with filesystem access can alter or delete entries.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This helper provides active system-command execution capability and is not limited to a fixed safe command set. In this skill's context, the method is called automatically during object initialization, so merely constructing the optimizer can trigger shell execution against the host environment.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The page renders claims such as '真实评价' and '已验证购买' even though reviews are created locally and the `add_review` API defaults `author` to 'Verified Buyer' and `is_verified` to `True` without any actual purchase-validation workflow. This can misrepresent testimonials as authentic and verified, creating deceptive trust signals that may violate consumer-protection rules and enable fraudulent marketing.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The default approval callback unconditionally returns True, which means MEDIUM and HIGH risk operations are automatically approved whenever no real approval handler is supplied. This directly defeats the documented safety model for gated write and destructive actions, allowing sensitive operations such as plugin installation, core updates, deletions, or SQL execution to proceed without human review.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The test name and docstring claim a high-risk destructive action is blocked and logged, but the assertion accepts allow or need_approval, weakening the security contract the test is supposed to enforce. This kind of misleading test can let unsafe policy regressions slip through CI, especially around destructive operations like delete_all_posts.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The test claims a callback approves a high-risk operation, but the operation used is documented in the file as medium risk. This inconsistency can conceal gaps in approval enforcement by giving a false sense that high-risk override logic is covered when it may not be.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README encourages running audits against a real customer site and supplying a live WordPress web root path, but it does not warn that this may access sensitive site content, configuration files, plugins, or system metadata. In an agent-skill context, examples like this can normalize scanning or file access on production environments and lead users or downstream agents to operate on live systems without informed consent or safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal