ClawHub
Back to skill

Security audit

Spec Engine

Security checks across malware telemetry and agentic risk

Overview

The advertised spec tools are mostly local, but the package also contains undisclosed OpenClaw news-scraping scripts that contact public websites, so it should be reviewed before installation.

Review this package before installing. The core spec-engine commands appear local and purpose-aligned, but the package also includes undocumented news collection code that makes outbound web requests and uses ambient proxy environment variables. Install only if you are comfortable with that extra behavior, or remove/ignore the daily_news and collectors files before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises executable capabilities that imply environment access, file I/O, and network use, but the manifest shown does not declare any permissions or safety boundaries. In an agent setting, this weakens reviewability and can allow operators to invoke a skill with broader access than users expect, especially when combined with dashboard generation and directory scanning features.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a strong red flag because the declared purpose is spec generation and validation, while the detected behavior reportedly performs unrelated multi-platform content harvesting and external network access. Such a mismatch suggests concealed functionality and materially increases the risk of data exfiltration, covert collection, or abuse of agent trust under a benign-looking label.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file implements external Bilibili scraping/search collection, which is unrelated to the declared skill purpose of spec generation and validation. Hidden or out-of-scope data collection expands the skill's capabilities beyond user expectations and can enable unauthorized network activity, telemetry, or content gathering in environments that trust the manifest description.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The collector reads HTTP proxy settings from environment variables and applies them to outbound requests, which lets the runtime environment silently redirect traffic through attacker-controlled infrastructure. In a skill whose stated purpose is spec generation and validation, this undeclared network-routing capability is unnecessary and increases the risk of data exfiltration, traffic interception, and hidden external communication.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This code performs live external web searching and scraping of Xiaohongshu content via DuckDuckGo, which is unrelated to the declared spec-engine functionality. Hidden collection behavior expands the skill's authority beyond its stated purpose, can leak user-supplied keywords to third parties, and creates an unexpected data-ingestion channel that could be abused for surveillance or unapproved external communications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Clawhub skill entry uses broad natural-language activation text such as 'Trigger when users ask about...' followed by multiple loosely scoped concepts. In an agent ecosystem, this can cause the skill to auto-invoke outside its intended context, exposing operational or security-related actions when the user only asked a general question.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The listing for 'OpenClaw Dual Agent' includes ambiguous trigger phrases like 'multi-agent setup' and similar broad wording without constraints. That makes accidental invocation more likely, especially because the skill appears capable of configuring multiple agents and messaging bots, which increases the consequences of a mistaken trigger.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal