ClawHub

Skill Insight

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-usage reporting tool with disclosed optional session scanning and recurring tracking, but users should treat those features as privacy-sensitive.

Install only if you want local analytics about skill usage. Before enabling session scanning, cron, or HEARTBEAT-style auto-recording, understand that recent OpenClaw session content may be inspected locally and summarized into usage logs; avoid recording secrets in scenes or notes and remove any cron or HEARTBEAT entries when you no longer want tracking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requests or implies broad capabilities (environment access, file read/write, network, shell) without declaring permissions up front, which reduces transparency and informed consent for users. In this context the capabilities are plausibly related to its stated function, but undeclared privileged behavior is still risky because it can access session data, modify local files, and run automated tasks without clear permission boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented primarily as an analysis/reporting tool, but the documented behavior also includes persistent registry management, usage logging, session-history scanning, and local API/CLI access. That mismatch matters because users may approve it expecting passive reporting, while it actually performs broader collection and modification operations that touch potentially sensitive session metadata.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script retrieves and scans full recent session message content, including message text and serialized tool calls, to infer skill usage. That creates unnecessary access to potentially sensitive conversation data beyond the minimally required metadata for usage analytics, increasing privacy exposure if logs, crashes, or future code changes leak or misuse that content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script silently scans prior conversation content and persists derived usage records without any explicit user-facing disclosure or opt-in. Even though it stores derived indicators rather than raw message text, the scanning of historical sessions can reveal sensitive workflow patterns and create privacy/compliance risk because users may not expect retrospective analysis of their conversations.

Session Persistence

Medium
Category
Rogue Agent
Content
**Option A: For `script`-type skills only (easiest, automatic)**
```bash
# Add to crontab -e:
0 9 * * * cd ~/.openclaw/workspace/skills/skill-insight && bash scripts/cron_wrapper.sh >> ~/.local/log/skill-insight.log 2>&1
```
This runs daily and scans your session history for skill scripts that were executed via `exec` commands. Works for `script` access_type skills. **Will NOT detect `route`-type skills.**
Confidence
88% confidence
Finding
crontab -e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal