ClawHub

Enterprise AI Assistant Bundle

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu/OpenClaw assistant bundle, but it needs review before use because it exposes enterprise chat messages and credentials without enough security controls.

Review before installing. Use a virtual environment with pinned dependencies, protect config.json and shell history, configure the Feishu app with minimal permissions, and do not expose the webhook publicly until request verification, channel/user allowlists, and rate limiting are added. Confirm that sending chat messages to the configured OpenClaw endpoint is allowed under your organization’s data policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
print("✅ lark 已安装")
    except ImportError:
        print("❌ lark 未安装,正在安装...")
        os.system("pip install lark")

    try:
        import openclaw
Confidence
89% confidence
Finding
os.system("pip install lark")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
print("✅ openclaw 已安装")
    except ImportError:
        print("❌ openclaw 未安装,正在安装...")
        os.system("pip install openclaw")

def create_config(app_id, app_secret, model="deepseek-chat"):
    """创建配置文件"""
Confidence
89% confidence
Finding
os.system("pip install openclaw")

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises automatic message handling in Feishu group chats and AI auto-replies, but provides no notice about privacy, consent, retention, or what message content is sent to third-party AI models. In an enterprise chat context, this can expose sensitive business, employee, or customer data to unintended processing and creates compliance risk even if the omission is unintentional.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook forwards user message content to an external LLM service without any notice, consent mechanism, or apparent data-classification controls. In an enterprise chat context, users may send sensitive business, customer, or credential data, so undisclosed third-party transmission creates privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes sensitive credentials, including app_secret, into a local config.json file in plaintext without warning, permission hardening, or guidance on secure storage. This increases the chance of accidental disclosure through source control, backups, shared directories, or lax file permissions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically installs packages via shell commands without explicit confirmation, which is risky operational behavior for a deployment helper. In context, this is more dangerous because it is a convenience bootstrap script likely to be run by operators with trust assumptions, making silent environment modification and package retrieval more likely to go unnoticed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal