ClawHub

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

Family Steward is a coherent local family-office management skill, but users should be careful because it handles highly sensitive records and has broad activation language.

Install only if you are comfortable using an npm-based package to manage sensitive family, contact, legal-document, health-note, and task metadata locally. Before entering real data, verify the package source, storage location, encryption behavior, backup exposure, and deletion/export process, and avoid running the publishing helper script with untrusted arguments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill metadata declares no permissions, yet the package requires Node and advertises an install step using npm, which implies executable code and shell capability outside the stated trust boundary. That mismatch can cause the host or reviewer to underestimate what the skill can do, increasing the risk of unintended command execution or supply-chain exposure during installation or runtime.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose is family-office management, but the detected behavior includes publishing, validation, authentication checks, and ClawHub/package distribution workflows unrelated to that purpose. This kind of description-behavior mismatch is dangerous because it can conceal administrative or supply-chain actions behind an innocuous data-management description, especially in a skill handling highly sensitive information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented auto-trigger behavior uses very generic keywords such as 'family', 'contact', 'document', and 'task', which are common in ordinary conversations and can cause the skill to activate outside clear user intent. In a skill handling highly sensitive family office data, accidental invocation increases the chance of unintended data exposure, inappropriate tool execution, or privacy-sensitive context being pulled into a session.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The activation criteria are broad enough to match common requests like reminders, overviews, and task coordination, which increases the chance the skill will activate in contexts where the user did not intend to expose sensitive family-office data. In a high-sensitivity domain, over-broad triggering can lead to unnecessary retrieval, display, or persistence of private legal and contact information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill handles extremely sensitive family, legal, and professional-contact data, but the user-facing description does not clearly warn that data may be stored locally and persist beyond the current session. In this context, insufficient disclosure about storage and retention is risky because users may provide confidential information without informed consent about where it resides and how long it remains accessible.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script builds a shell command string using untrusted inputs from positional arguments (`VERSION` and especially `CHANGELOG`) and then executes it with `eval`. This allows shell metacharacters or command substitutions in those arguments to break out of the intended `clawhub publish` invocation and execute arbitrary commands in the user's environment during publishing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal