ClawHub

Huo15 Openclaw Enhance

Security checks across malware telemetry and agentic risk

Overview

This is a broad OpenClaw enhancement plugin with useful disclosed features, but it also includes default-on automatic task dispatch, local credential use, HTTP file routes, and persistence helpers that deserve manual review before installation.

Install only if you want a broad enhancement suite, not just context-limit warnings. Review and disable unneeded sharing/upload/cc-media-bridge behavior where your OpenClaw config allows it, avoid using share tools on sensitive files, configure BOT_BASE_URL deliberately, and do not run the setup, release, or LaunchAgent helper scripts unless you intend their persistent/workspace changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (80)

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
The plan describes memory export and persistent workflow/task storage that materially exceed the narrowly stated runId deduplication and banner-silence scope. In an agent skill, undeclared data export and retention capabilities increase the chance of unexpected data disclosure, especially if users or reviewers rely on the manifest to understand what the plugin can persist or extract.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README presents the tool-safety component as a passive observer that 'never blocks or intercepts,' but later documents configuration options that actively block commands and file writes. This mismatch is security-relevant because operators may deploy the plugin under a false assumption about enforcement behavior, leading to unsafe trust decisions or unexpected blocking in production.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The SOP explicitly instructs reverse-engineering and unpacking a proprietary desktop application to inspect internal implementation details and reuse them in this plugin's roadmap. Even though this is framed as research rather than runtime behavior, it expands the skill's operational scope beyond its stated non-invasive enhancement purpose and encourages unsafe supply-chain practices based on undocumented internals.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document includes concrete release procedures using live npm and ClawHub authentication tokens, which creates a deployment pathway unrelated to the plugin's runtime function. In an agent context, operational publishing instructions materially increase the risk of unauthorized package publication, token misuse, or supply-chain compromise if followed automatically or surfaced in the wrong environment.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest describes a narrowly scoped context-watchdog enhancement, but the entrypoint actually registers a large suite of unrelated capabilities including workflow automation, skill installation, session bridging, routing, upload/share bridges, and dispatch features. This scope mismatch is dangerous because reviewers and operators may grant trust based on the advertised purpose while unknowingly installing a much more privileged plugin surface.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The code imports and later registers capabilities related to session bridging, dispatch harnesses, keyword-triggered dispatch, model routing, and file upload/share flows that materially extend the plugin beyond a watchdog role. In a plugin ecosystem, hidden network/dispatch-style features increase the risk of unintended data movement, remote task triggering, or policy bypass because they are not justified by the stated skill purpose and may evade normal user scrutiny.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
A postinstall hook executes automatically during package installation, which creates an implicit code-execution path unrelated to the stated non-invasive runtime enhancement purpose. In agent/plugin ecosystems, install-time execution is risky because consumers may not expect side effects, and any compromise or misuse of the hook can run code on the installer's machine without explicit runtime invocation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script writes a user LaunchAgent plist and explicitly loads it with launchctl, establishing scheduled execution outside the immediate plugin/runtime flow. Even though it is user-level and documented as a one-time deploy helper, this is still persistence behavior that expands the skill's operational scope beyond a purely non-invasive runtime enhancement and can be abused to execute code later without fresh user review.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The header comment says the script does not load LaunchAgents in plugin runtime, but the script later calls launchctl load directly. This mismatch is dangerous because it can mislead reviewers and users about the script's actual behavior, reducing informed consent around persistence-related actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer goes beyond simple plugin installation and directly modifies the user's OpenClaw workspace by copying skills and appending content to AGENTS.md and SOUL.md. Even though these actions are visible in the script, they are broad, persistent changes to agent behavior and trust boundaries, and they are performed automatically without explicit consent or granular disclosure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The completion banner claims installation of modules and capabilities that are not established by this script segment, which can mislead users into believing additional features or security controls are present. In security-sensitive agent environments, inaccurate post-install claims can cause misplaced trust and reduce scrutiny of what was actually installed and enabled.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata claims a narrow purpose around runId deduplication and context silencing, but this file introduces persistent baseUrl configuration management. That hidden capability materially expands the plugin’s control surface by allowing durable network-facing behavior changes that are not disclosed to the user reviewing the manifest.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code registers an HTTP file-serving route and exposes downloadable shared files, which is a significant undeclared capability compared with the skill’s stated dedupe/silence functionality. Hidden network listeners and file-hosting behavior increase attack surface and can enable unintended data exposure, especially because the route serves local files copied into a persistent share directory.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The registered tools allow sharing local files, enumerating active shares, revoking them, and persisting base URLs, none of which are reflected in the skill metadata. Undeclared tools that can publish local files and alter persistent networking configuration create a substantial trust and consent problem and can be abused to exfiltrate data under the guise of a benign enhancement plugin.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code writes persistent local configuration to ~/.openclaw/share/config.json even though the skill’s stated purpose does not justify durable configuration changes. Silent persistence is dangerous because it modifies future behavior across sessions and can redirect generated links to attacker-controlled infrastructure if misused.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The memory prompt supplement injects behavioral rules that steer how the model handles file delivery and baseUrl setup, exceeding the plugin’s declared enhancement scope. Undisclosed prompt-level control can manipulate downstream assistant behavior in ways users and operators do not expect, including pressuring workflow changes around file sharing and network configuration.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file introduces a full browser-accessible upload service, persistent local storage, HTTP routes, and file-ingestion workflow that materially exceeds the skill metadata's declared purpose of runId deduplication and banner silencing. This kind of hidden capability expansion is dangerous because it creates a new externally reachable attack surface and data-handling path that operators would not reasonably expect or review under the stated scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This module implements a large-file upload and local ingestion pipeline unrelated to the described context-management enhancements, indicating undeclared capability smuggling. In a plugin ecosystem, such scope mismatch is security-relevant because it can bypass administrator expectations, change trust assumptions, and expose users to unreviewed file intake and storage behavior.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The plugin implements a dispatch-lockdown and tool-routing enforcement mechanism that is materially broader than the manifest’s advertised features of runId dedupe and banner silencing. This hidden behavior can covertly alter agent execution paths, block legitimate tools, and force work through a specific Bash command, undermining transparency, operator expectations, and security review boundaries.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code detects certain user-message patterns, injects coercive prompt instructions, enters a temporary lockdown state, and blocks alternative tools until the model uses a specific Bash-based workflow. This is dangerous because it manipulates control flow at the hook layer, bypasses normal agent choice, and can redirect tasks into shell execution with user-derived arguments, creating a strong policy-bypass and command-routing risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module routes work to an externally reachable service endpoint selected from an environment variable, creating a hidden task-dispatch capability beyond the declared plugin scope. Even though it uses loopback, this still enables covert privilege expansion and task execution through a local service the user may not expect or have consented to, especially because the feature is triggered by message content rather than an explicit trusted admin action.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This hook creates a message-triggered execution path where user text matching a keyword automatically causes an HTTP POST to dispatch background work. That is dangerous because ordinary chat input can invoke side effects outside the LLM’s normal decision flow, enabling prompt-to-action behavior, unexpected task execution, and possible abuse if an attacker can craft messages that trigger the bridge.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module adds a new data-collection and prompt-injection path by automatically querying a local HTTP service and inserting the results into model context, which goes beyond a narrowly described 'non-invasive enhancer.' Even though the target is localhost, it still expands the skill’s trust boundary and can expose local session metadata to the model without an explicit user action or clear disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads a locally stored dashboard password from ~/.openclaw-media-bridge/config.json and uses it to authenticate to another local service. Accessing credential material from disk to reach a separate component is a sensitive cross-boundary action, especially when the skill is presented as non-invasive and the user is not clearly informed that secrets will be consumed this way.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module injects a strong prompt supplement that changes model output behavior by requiring dashboard links for cc-media-bridge tasks, but this behavior is not reflected in the stated enhancement scope. Hidden prompt-shaping capabilities are risky because they alter user-visible responses and can steer users to external interfaces without transparent disclosure or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal