ClawHub

Huo15 Openclaw Openai Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real knowledge-base skill, but it needs review because it can send local knowledge-base content to an external LLM and includes helpers that can persistently rewrite agent/workspace files.

Install only after reviewing the scripts. Use agent scope for private material, verify the configured LLM provider before compiling documents, and avoid running bootstrap-from-questionnaire.sh or install-all-agents.sh unless you specifically want those broader persistent workspace/all-agent changes. Do not compile untrusted documents until filename path containment is fixed in kb-llm.py.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
Overly broad trigger phrases like general 'query' or 'ask' terms can cause accidental invocation during ordinary conversation. In a skill with file, network, and shared-scope write behaviors, misfires are more dangerous because they may ingest content, query private data sources, or modify persistent knowledge stores when the user did not intend to activate the skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes ambiguous standalone terms such as 'broken link', 'stub', 'knowledge graph', and 'database view', which are likely to appear in normal discussion unrelated to this skill. Because the skill can touch local vaults, shared KB state, and network-backed ingestion, accidental activation meaningfully increases the chance of unintended reads/writes and privacy-impacting operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script unconditionally overwrites several well-known workspace files using shell redirection. In an agent/workspace context, these files can contain security-relevant instructions, identity settings, and user-specific data, so silent replacement can destroy safeguards or replace trusted prompts/configuration with questionnaire-derived content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a local prompt file and transmits its full contents to a remote LLM endpoint, but it does not provide any explicit user warning, consent step, redaction, or sensitivity check before network transmission. In a knowledge-base compiler, prompts may embed local documents, notes, URLs, or other sensitive material, so silent exfiltration to a third-party model provider creates a real confidentiality risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal