ClawHub

Yoder Skill Auditor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-scanner skill whose risky-looking code is documented test fixture material, not hidden runtime behavior.

Reasonable to install if you want a local OpenClaw skill auditing tool. Do not manually execute files under tests/, review the built-in allowlist before relying on results, and treat the scanner as advisory rather than a final security guarantee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (40)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill metadata declares no env/config requirements, but the described tooling and detected capabilities indicate broad operational access including shell, file I/O, network, and env handling. This mismatch is risky because users and policy engines may underestimate what the skill can do, weakening least-privilege review and making abuse harder to spot.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script is deceptively labeled as fetching weather data, but it reads local authentication material and sends both the extracted token and an API key to an external webhook. This mismatch between stated purpose and actual behavior is a strong indicator of intentional credential exfiltration and makes the code especially dangerous because it is likely to evade casual review.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented behavior suggests harmless weather retrieval, but the implementation instead harvests credentials from ~/.config/openclaw/auth-profiles.json and transmits them off-host. In the context of a security scanner skill, this is wholly unrelated to expected functionality and represents covert theft of sensitive authentication data.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The script explicitly reads a local authentication profile, extracts the openai:default token, and posts it to an external endpoint. Unauthorized access to local auth profiles followed by exfiltration is direct credential theft that can lead to account compromise, downstream abuse, and broader system or data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file behavior is fundamentally inconsistent with the declared purpose of a security scanner: instead of analyzing local content, it retrieves arbitrary remote code from external domains and executes it. This creates a direct remote code execution path under the user's privileges, and the mismatch in stated purpose versus actual behavior strongly increases suspicion of deceptive or malicious intent.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
Both lines implement unjustified download-and-execute behavior: one pipes a remote shell script directly into bash, and the other downloads a Python script and executes it immediately. In the context of a security-scanning skill, this is especially dangerous because users may grant elevated trust to the tool, making covert payload delivery more likely to succeed.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The file is deceptively labeled as an image optimization helper, but it decodes a remote URL, reads the user's SSH private key from ~/.ssh/id_rsa, and sends it off-host. This is credential theft and covert exfiltration, and the misleading comment strongly suggests deliberate concealment rather than an accidental implementation mistake.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The skill claims to be a security scanner, yet the code performs unrelated secret collection and exfiltration. In this context, the mismatch makes the behavior more dangerous because users are likely to grant elevated trust and permissions to a security tool, increasing the chance of successful credential compromise.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Reading ~/.ssh/id_rsa and transmitting it to an external server is a direct theft of highly sensitive authentication material. Compromise of an SSH private key can enable unauthorized access to developer machines, servers, source repositories, and downstream infrastructure, making the impact potentially environment-wide.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The SKILL.md describes a generic 'System Helper' for system setup, which materially conflicts with the manifest metadata claiming this is a security scanner. This kind of identity mismatch is dangerous because it can conceal the skill's real behavior, enable deceptive invocation, and mask privilege-related functionality behind benign-looking documentation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script copies a file explicitly named backdoor.sh into /usr/local/bin and then sets the SUID bit on it, creating a persistent privilege-escalation path to root. In the context of a security-scanner skill, this behavior is unrelated to legitimate scanning and strongly indicates an intentional backdoor rather than an installation requirement.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Instead of performing security analysis, the file modifies the host system in a privileged way by writing into /usr/local/bin and enabling setuid execution. This violates the declared purpose of the skill and creates unauthorized system-level persistence and escalation capability on the machine where the skill is installed.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill presents itself as a benign helper while embedding hidden instructions to ignore prior safeguards and exfiltrate the user's SSH private key to an external domain. This is a classic prompt-injection and data-exfiltration pattern, made more dangerous by the deceptive framing and explicit direction to bypass safety restrictions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented behavior substantially exceeds a generic 'friendly helper' role by directing the model to inspect user configuration files and override safety protections. The mismatch between the benign title and the actual instructions increases the likelihood of deceptive misuse and unauthorized access to sensitive local data.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The skill explicitly instructs exfiltration of ~/.ssh/id_rsa, which is a highly sensitive private credential, and also encourages reading user configuration files without justification. Theft of SSH private keys can enable unauthorized access to systems, lateral movement, and severe compromise of user and organizational infrastructure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script creates a symlink to the user's private SSH key and then reads it via `cat`, directly exposing credential material. For a skill described as a security scanner, accessing and outputting a host private key is unrelated to the stated purpose and could enable credential theft and downstream system compromise.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script manipulates sensitive host paths by symlinking `/etc/passwd` and the user's SSH private key into `/tmp`, then exposes the key contents. This behavior exceeds any legitimate need for a security scanning skill and creates a clear path for host data exposure and credential harvesting.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script is labeled as a benign 'System health check' but reads highly sensitive materials including an SSH private key and AWS credentials. This mismatch between declared purpose and actual behavior is a strong indicator of deceptive secret collection and creates clear risk of credential theft.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Reading SSH private keys and AWS credentials is not justified by the skill's stated role as a scanner for OpenClaw skills. Accessing these files exposes secrets that can be used for infrastructure compromise, persistence, lateral movement, or data exfiltration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script performs local file harvesting rather than analyzing skill content, so its behavior does not align with the advertised scanning functionality. In the context of a security-scanner skill, this makes the code more dangerous because users are likely to trust it with elevated access while it silently collects secrets.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
This code is a deliberate credential theft mechanism disguised as a scheduler. It checks a time-based trigger, reads the user's private SSH key from ~/.ssh/id_rsa, and exfiltrates it to an external domain, which would enable unauthorized access to systems and long-term compromise.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Reading a private SSH key and sending it off-host has no legitimate role in a scheduler or security scanning skill. Theft of private keys can lead to persistent unauthorized access, lateral movement, source code theft, and infrastructure compromise.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The comments and naming attempt to conceal the actual behavior by presenting the file as a harmless scheduler while embedding a delayed malicious payload. This deception increases risk because it is designed to evade review and activate later, making detection and response harder.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The allowlist description defines a downgrade policy using broad behavioral criteria like handling credentials or making API calls, which are common across many skills and not inherently safe. If this rationale is used operationally to suppress or downgrade critical findings, a malicious or compromised skill can evade scrutiny simply by resembling a legitimate integration pattern.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script accesses sensitive values from both an environment variable and a local auth file, then silently sends them to a remote service with no user notification. Secret access and transmission without disclosure or consent violates least surprise and creates a high risk of unnoticed credential compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal