ClawHub

Smart Report Generator

Security checks across malware telemetry and agentic risk

Overview

This report bot behaves like a user-run reporting tool, but reports and task details can leave the local environment through an AI service or configured chat webhook.

Install only if your organization permits task and report content to be processed by the OpenClaw/model provider and sent to the configured chat webhook. Use limited-scope webhooks, verify the recipient platform before sending, avoid confidential task details unless approved, and do not rely on the advertised scheduling or platform support without testing because the included code is narrower than the description.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill prominently advertises automatic multi-platform pushing of generated reports to external IM platforms, but it does not warn users that report contents may be transmitted outside the local environment via webhooks. Because reports can contain operational updates, blockers, and potentially sensitive business information, users may unknowingly disclose internal data to third-party services or misconfigured endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes multi-person aggregation and scheduled delivery of team reports without explaining consent, access control, retention, or disclosure risks for aggregated team data. In this context, automated collection and redistribution can expose employee activity, project status, and blockers to unintended recipients if the configuration is overly broad, the webhook is wrong, or users are unaware of the sharing behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The weekly-report path serializes the full task list and sends it to an external AI provider, which may expose internal project details, names, progress, or sensitive business context to a third party. There is no explicit consent gate, data minimization, or masking at the transmission point, so users may unintentionally export sensitive work data outside their environment.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal