ClawHub

Remote Skill Installer

Security checks across malware telemetry and agentic risk

Overview

This skill can persistently install, overwrite, or delete agent skills from remote URLs and mirrors without strong source verification or overwrite confirmation.

Install only if you intentionally want a tool that can change local OpenClaw agent behavior. Use trusted HTTPS sources, avoid arbitrary mirrors, review downloaded SKILL.md files before enabling them, and back up ~/.openclaw workspaces before import, update, or remove operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The installer claims to import from an official Skills Hub, but `_get_hub_url()` allows the base URL to be overridden from a local file or environment variable. That means anyone who can influence the runtime environment or the `~/.openclaw/skills-hub-url` file can redirect imports to arbitrary remote content, which is then written as `SKILL.md` and trusted as a skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The user-facing import command is documented as importing from the official Skills Hub, but the implementation can silently fetch from custom hubs or mirrors instead. This trust-boundary mismatch is dangerous because users may rely on the wording to assume provenance and safety, while the code accepts content from locations outside the stated source.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes installing skills from arbitrary URLs and bulk-importing them directly into an agent workspace, but it does not prominently warn that remote SKILL.md content is untrusted and can alter agent behavior. In this context, writing attacker-controlled skill files into a live workspace can enable prompt injection, malicious instruction persistence, or unsafe overwrites if users assume the source is trustworthy.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The proxy and custom mirror instructions encourage routing skill downloads through third-party infrastructure without warning that mirrors and proxies can observe, modify, or substitute downloaded content. Because this tool installs remote skills into an agent workspace, any integrity loss in transit can directly result in malicious skill installation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports installing, updating, and removing skills in agent workspaces, but it does not clearly warn that these operations change local files and may overwrite or delete existing skill content. In a remote-installation context, that omission can cause unsafe or unintended workspace modification, especially if users assume the actions are non-destructive.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages fetching SKILL.md from arbitrary third-party URLs and mirrors, but does not clearly warn about trust, privacy, and supply-chain risks. Because skill content is effectively executable instruction material for an agent environment, downloading from untrusted sources can introduce malicious behavior, leak operational metadata through network access, or replace trusted skills with attacker-controlled content.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script creates the target skill directory with `exist_ok=True` and writes downloaded content directly to `SKILL.md`, overwriting any existing local skill without confirmation or backup. In a skill system, replacing local instructions or behavior with attacker-controlled remote content can change agent behavior unexpectedly and persist malicious prompts or logic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal