ClawHub

Unraid Monitor Skill for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Unraid monitoring skill that queries a configured server and stores local monitoring artifacts, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you intend to let it query your Unraid API and keep local monitoring files. Use a least-privilege API key if possible, verify UNRAID_BASE_URL, avoid session cookies unless needed, protect the .state or UNRAID_STATE_DIR directory, and review any crontab or sudo certificate-trust commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no explicit permissions even though the documented workflow clearly requires network access and shell execution. This weakens consent and policy enforcement because a caller may approve a supposedly simple read-only query skill without realizing it can execute scripts, make outbound requests, and manipulate local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description says the skill only performs read-only Unraid GraphQL status queries, but the documented behavior includes local persistence, logging, archival state, preflight execution, notifications, and cron-oriented automation. This mismatch is dangerous because operators and policy systems may underestimate what the skill can do on the host, leading to overbroad trust and unintended persistence or scheduled execution.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest markets the skill as read-only querying, but the instructions also cover logging, state artifact creation, notifications, and cron setup or management. Even if these actions are not directly destructive, they extend the trust boundary from passive querying into host-side persistence and scheduled execution, which materially changes the security profile.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Cron installation or modification is a persistence mechanism and is broader than what is necessary to answer on-demand health queries. In an agent setting, the ability to add or alter scheduled tasks can be abused to create recurring execution, continuously access secrets from the environment, or maintain footholds beyond the original user request.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation states 'Perform read-only operations only,' but elsewhere authorizes local writes and cron-related changes. This contradiction can mislead reviewers and runtime policy about the true side effects of execution, increasing the chance that the skill is granted trust or automation it should not receive.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal