ClawHub

New Player Package 800

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed setup guide with no executable files, but it recommends installing powerful OpenClaw add-ons and handling tokens, so users should review the steps first.

Install only after reading the script line by line. Verify each recommended skill before granting broad system or filesystem authority, avoid unneeded global installs, keep gateway tokens out of shared files and shell history, and decide what memory/vector-search features may index before enabling them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The one-click script performs system-changing actions such as global package installation and creating persistent directories under the user's home directory, but it does not clearly warn users about those side effects or advise review before execution. In a skill intended for deployment optimization, users are especially likely to copy-paste commands directly, which increases the chance of unintended environment changes or trust in unreviewed third-party packages.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to place authentication tokens in configuration and environment variables without any guidance on secret handling, storage safety, rotation, or avoiding exposure in shell history and shared files. Because this skill is specifically about OpenClaw deployment and authentication troubleshooting, the context makes secret mishandling more dangerous: users may paste real production tokens into configs or terminals without safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal