ClawHub

PaperMC AI Operations

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches PaperMC server administration, but it ships unrelated publishing tools with hardcoded credentials and broad upload behavior that users should review before installing.

Install only after removing or isolating the publishing scripts and rotating the exposed ClawHub token. Configure server paths explicitly, restrict plugin/server downloads to trusted sources with verification, require human approval for restarts and file replacement, and decide whether the ~/.openclaw cost/log files are acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 执行启动命令
            import subprocess
            process = subprocess.Popen(
                [str(start_script)],
                cwd=str(SERVER_DIR),
                stdout=subprocess.PIPE,
Confidence
88% confidence
Finding
process = subprocess.Popen( [str(start_script)], cwd=str(SERVER_DIR), stdout=subprocess.PIPE, stderr=subprocess.PIPE,

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises broad operational capabilities including shell, file read/write, environment access, network access, and possibly MCP interactions, but does not declare permissions. This undermines least-privilege controls and informed consent: an operator may trust a safety-first server-management skill without realizing it can access the filesystem, environment variables, and external network, which increases the blast radius if the skill is compromised or behaves unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is PaperMC server operations, but the detected behavior includes external publishing/upload workflows, hardcoded bearer-token authentication, outbound upload of local repository files, and AI cost/reporting functions unrelated to the stated mission. This mismatch is dangerous because it can conceal data exfiltration, secret exposure, or supply-chain actions behind a benign operational description, causing users to grant trust and execution access under false assumptions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module enumerates processes, terminates them, escalates to kill, and launches the server process directly, which is powerful host-control behavior rather than a constrained interface. Because the skill context promises safe, controlled PaperMC management, this mismatch increases risk: an agent using this code can directly disrupt service availability and manipulate host processes without a stronger isolation boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The download routine overwrites the process-wide NO_PROXY environment variable, affecting networking behavior for the entire running process, not just this single request. In an agent environment with shared libraries or concurrent tasks, this can unintentionally bypass proxy controls, alter routing for unrelated requests, and weaken network policy enforcement.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The implementation describes a safe restart but actually sends terminate and then kill to the detected PaperMC process if it does not exit quickly. That discrepancy is dangerous because operators or higher-level agents may assume graceful in-server shutdown semantics, while the code can cause abrupt termination, world corruption, plugin state loss, or denial of service.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script recursively enumerates repository files and uploads all matching text files to an external API, which can disclose source code, configuration, documentation, operational notes, and other sensitive material unrelated to PaperMC server management. In this skill context, broad repository exfiltration is especially concerning because the advertised purpose is server operations, not remote publication of local project contents, so the data transfer exceeds expected scope.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code performs authenticated network upload to a third-party service and packages local repository content for transmission, creating a direct outbound exfiltration path. Because this capability is unrelated to the stated PaperMC server-management purpose, it increases the attack surface and could be abused to leak local operational data or proprietary files if the script is run in the wrong directory or modified skill repository.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
The file performs authenticated publishing of a packaged skill to an external service, which is unrelated to the declared PaperMC server-management purpose. In a skill that users expect to manage Minecraft infrastructure, hidden distribution capabilities broaden the trust boundary and can enable unauthorized exfiltration or repackaging workflows that users would not reasonably expect.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The script includes account-query and external publishing actions that are unnecessary for the stated server-operations function. Because the skill context is infrastructure administration, unexpected authenticated calls to third-party services are more dangerous: operators may grant broad trust to the skill, creating an avenue for account misuse and data disclosure outside the PaperMC environment.

Intent-Code Divergence

Medium
Confidence
74% confidence
Finding
The module is explicitly documented as a ClawHub publishing tool, which contradicts the manifest's PaperMC-management claim. This mismatch is security-relevant because deceptive or misleading packaging causes users and reviewers to underestimate the code's true capabilities, making risky authenticated network behavior harder to detect.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script implements AI cost/accounting behavior inside a skill advertised for PaperMC server lifecycle and plugin operations, creating a capability mismatch that can surprise users and operators. While not directly exploitable as code execution, out-of-scope telemetry-style logging increases trust and governance risk because it stores activity details unrelated to the declared server-management purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script records AI model usage, token counts, tasks, and notes even though that capability is not justified by the skill's stated PaperMC operations purpose. In this context, unjustified collection is dangerous because operators may provide sensitive operational notes or prompts that are then persisted locally without expecting the skill to perform accounting.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The script presents itself as an automated upgrade-readiness evaluator, but it fabricates major parts of the score using hardcoded assumptions like 'assuming all plugins compatible' and 'assumes security patches included'. In an AI ops/server-management context, this can drive unsafe upgrade decisions while giving operators false confidence that validation was actually performed.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The compatibility check claims to evaluate plugins but mostly grants points without any real validation, which can incorrectly classify a server as upgrade-ready. In this skill's operational context, that could trigger outages, plugin breakage, or data corruption after an upgrade because compatibility was never actually checked.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly documents `plugin_manager.py install-url <url> --filename <name>` without warning that plugins are executable third-party code with full access to the Minecraft server process and often broad filesystem/network access. In an AI-ops skill, normalizing URL-based plugin installation makes it easier for an agent or operator to fetch and deploy untrusted or tampered artifacts, which can lead to remote code execution, credential theft, persistence, or server compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents `update_paper.py update-from-url <url>` without warning that this replaces the core server binary from a remote source. A URL-driven update path in an agent skill is dangerous because a malicious or mistyped URL could cause deployment of a trojanized server jar, resulting in full compromise of the game server environment and potentially the host account running it.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The upgrade flow downloads a replacement JAR and then unlinks the existing plugin file without any execution-time confirmation or approval gate before the destructive change. In an automated agent setting, that can lead to accidental service disruption, unwanted upgrades, rollback complexity, or replacement with an untrusted artifact if upstream metadata is wrong or compromised.

Missing User Warnings

High
Confidence
95% confidence
Finding
When auto_restart is enabled, the code can terminate and eventually kill the running PaperMC process without a fresh, explicit confirmation at the moment of execution. In a live game server context this directly affects availability and can interrupt players, corrupt state, or cause data loss, making the automation materially risky even if intended for maintenance.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script transmits discovered local files off-system without a clear user-facing warning, preview, or informed consent step, which makes accidental data disclosure likely. In an ops-oriented skill repository, users may run helper scripts expecting local administration behavior, not bulk upload of repository contents to an external service.

Missing User Warnings

Medium
Confidence
100% confidence
Finding
A live bearer token is hardcoded directly in the script, exposing credentials to anyone with code access and enabling unauthorized use of the remote API. Hardcoded secrets are a severe security issue because they are easily leaked through source control, logs, backups, or downstream redistribution of the skill.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live API bearer token is hardcoded directly in source and then used for authenticated requests. Anyone who obtains the code can reuse the credential to query account information and publish or modify content on the associated ClawHub account, leading to account takeover of the skill-publishing workflow and possible supply-chain compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script creates local log files under the user's home directory and stores timestamps, model names, task names, token counts, costs, and arbitrary notes without any warning, consent, or retention controls. Free-form notes are especially risky because users may include secrets, operational details, or personal data, which then remain on disk and may be exposed through backups, shared accounts, or local compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script contains a hardcoded bearer token and uses it to upload multiple local files to a remote API in a single non-interactive step, with no confirmation, dry-run, or file review. Although it uses HTTPS rather than plaintext HTTP, this is still dangerous because anyone with access to the script can extract and reuse the credential, and running the script can exfiltrate potentially sensitive local artifacts to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal