ClawHub

Claw Stack Manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears to manage Portainer stacks as advertised, but it has under-disclosed high-impact Docker actions and credential handling that users should review before installing.

Install only if you trust the publisher and are comfortable giving this skill Portainer-level control over Docker stacks. Use a narrowly scoped API key if possible, avoid production runs without a maintenance window, review the force-delete cleanup for claw-redep and ng-agent containers, and rotate the Portainer key if redeployer container metadata may expose it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script claims to manage stacks, but it also contains a separate code path that restarts a specific standalone container, openclaw-gateway. This expands operational scope beyond the stated purpose and can cause unanticipated service disruption or be abused to affect an unrelated component.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script automatically ingests arbitrary key-value pairs from a workspace .env file into its process environment, including secrets unrelated to Portainer. That behavior is broader than necessary for stack management and increases the blast radius of any later logging, subprocess use, or network interaction that can expose those values.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes stop/redeploy operations but does not clearly warn users that invoking it will interrupt running services and may trigger destructive state changes. In the context of infrastructure management, missing disruption warnings can lead to accidental production outages because the user may treat the action as a routine non-impacting update.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation requires a Portainer API key but does not emphasize that the credential grants remote administrative control over Docker stacks. Without a clear warning, users may provide high-privilege secrets too broadly or mishandle them, enabling unauthorized infrastructure changes if the environment or logs are exposed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Sensitive credentials are silently loaded from a fixed workspace .env path without disclosure or operator awareness. This creates hidden credential dependency and can surprise users by using secrets from local workspace state they did not intend to expose to this script.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The update flow performs stack pull, stop, and redeploy actions immediately once invoked, with only minimal status messages and no explicit destructive-action confirmation. In an agent setting, this can lead to accidental downtime or unintended changes to production services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal