ClawHub

Claw Friends

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed OpenClaw character and Tuqu photo integration, but it needs review because it also exposes payment, deletion, credential, and persistent workspace actions without strong confirmation guardrails.

Install only if you are comfortable giving an agent Tuqu service-key authority and persistent access to OpenClaw character workspaces. Use a limited or disposable Tuqu key, avoid putting keys in query strings or saved workspace files, personally confirm every recharge/payment and delete operation, and review ~/.openclaw/ROLES.json plus workspace paths before using /shift.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares filesystem and network-related behavior in metadata and documentation, but does not expose any explicit permission model for those capabilities. This is dangerous because users may install it expecting simple character/photo features while the skill can also read, write, and potentially use environment-derived secrets during runtime without clear consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documented purpose is character creation and photo generation, but the behavior summary includes broader local state manipulation, workspace switching, credential handling, and access to billing and account-related remote API endpoints. This mismatch is dangerous because it undermines informed consent and can hide materially riskier operations such as account actions, local workspace mutation, and exposure of authentication context.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script performs filesystem-level workspace switching by moving arbitrary directories referenced in ROLES.json into and out of ~/.openclaw/workspace, which is unrelated to the advertised character/photo functionality. Because it trusts role metadata and workspace-state paths without validation or confinement, a malicious or tampered configuration could cause unintended movement of sensitive directories, leading to data loss, corruption, or unauthorized reassignment of OpenClaw workspaces.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README describes a general-purpose Tuqu photo and billing API helper, while the skill metadata says the skill is for creating characters and enabling selfies/photos. This scope mismatch increases the chance that an agent using the skill will invoke unrelated capabilities, expanding access beyond user-expected functionality and weakening least-privilege boundaries.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Documenting billing and recharge flows in a character-photo skill exposes financially sensitive actions that are unrelated to the stated purpose. If an agent follows this documentation, it could trigger balance checks or payment/recharge operations with a provided service key, causing unauthorized spending or financial account manipulation.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The README advertises prompt enhancement, catalog discovery, and pricing/model-cost lookups that go beyond the narrow character-photo intent. While these may be legitimate platform features, bundling broader discovery and cost-inspection capabilities into a narrowly scoped skill increases attack surface and may enable unintended data access or off-mission API use.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The file explicitly documents recharge and payment initiation flows for a skill whose stated purpose is character creation and photo generation. In this context, exposing payment actions is dangerous because an agent or integration could initiate real-money top-ups outside user expectations, creating financial risk and a clear mismatch between declared purpose and available capability.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The workflow adds recharge and payment-processing operations that are outside the skill's stated purpose of character creation and photo-taking. In an agent setting, exposing billing endpoints without strong scope controls can enable unauthorized purchases or social-engineered top-ups, especially because the instructions describe exactly how to create payment sessions and return payment artifacts.

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The documentation includes balance inspection and generation-history management beyond the narrow manifest description. While less severe than payment initiation, these capabilities broaden access to potentially sensitive account metadata and prior user outputs, increasing the chance of privacy leakage or misuse if the agent invokes them unexpectedly.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Payment processing is context-inappropriate for a skill presented as a creative image/character tool, which makes the capability especially risky because users and reviewers may not expect real billing actions. The mismatch increases the likelihood of deceptive or accidental transaction flows, and the workflow provides enough operational detail to execute them directly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The helper exposes billing, balance, recharge plan, and payment initiation endpoints even though the skill is described as creating characters and taking photos. This expands the skill's effective privilege and attack surface, enabling financial or account-related actions that are not necessary for the stated functionality if the script is used by an agent or user with available credentials.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code includes payment-related capabilities such as recharge plan lookup and creating WeChat/Stripe recharge requests without clear justification from the skill's declared purpose. In an agent setting, hidden or unnecessary payment APIs are risky because they can be invoked through prompt manipulation or tool misuse, potentially causing unauthorized monetary operations or exposing sensitive billing data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that the skill creates multiple files, scaffolds a workspace, and modifies `~/.openclaw/ROLES.json`, but it does not clearly warn users about these side effects before installation or use. In an installable agent-skill context, undocumented filesystem writes and config changes can surprise users, overwrite state, or create persistence mechanisms that outlive a session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs creating directories and writing multiple files under ~/.openclaw without requiring an explicit confirmation immediately before filesystem modification. In an agent setting, this can cause unintended persistent state changes, clutter, or overwriting behavior if invoked from ambiguous user intent or mis-triggered automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The /shift flow performs workspace-moving operations that change which character is active and may relocate existing workspace contents, yet it only asks the user to choose a character name and does not clearly warn about the filesystem and state transition effects. In a persistent agent environment, this can lead to accidental data movement, confusion about active state, or unintended replacement of the current workspace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template instructs the agent to delete `BOOTSTRAP.md` automatically after reading it, without user confirmation or any safeguard. Even if intended as workspace initialization, this creates an unsafe pattern of autonomous file deletion and can destroy auditability, recovery information, or setup state the user may still need.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recharge guidance describes real payment operations without prominent warnings, consent requirements, or confirmation safeguards. For a photo/character skill, that omission makes accidental or socially engineered payment initiation more plausible because users would not reasonably expect financial actions from this context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly allows passing a sensitive service key via query parameter, which is commonly logged by browsers, reverse proxies, analytics systems, and server access logs. This increases the chance of credential leakage and subsequent unauthorized API use, including billing-related actions tied to the same credential.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Allowing a service key in the POST body for payment initiation increases exposure through client-side logging, server request logging, error reporting, and accidental persistence in application telemetry. Because the same credential authorizes recharge operations, leakage can directly enable unauthorized payment or account actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Stripe recharge docs also permit placing the service key in the request body, repeating the same credential-handling weakness for a payment flow. Sensitive credentials in bodies are more likely to be captured by middleware, debugging tools, or stored request payloads, creating a practical path to account misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The payment workflow lacks any warning that the described endpoints can trigger live billing actions. In conversational or agent-driven systems, omission of this warning can lead to accidental purchases or manipulation into initiating transactions without informed consent.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: openclaw-friends-skill
description: 为龙虾创建角色(世界知名人物或虚拟人物),并让角色支持自拍和拍照。Create a character for OpenClaw (either a world-famous figure or a fictional character), and enable the character to take selfies and photos.
config_paths:
  - ~/.openclaw/ROLES.json
  - ~/.openclaw/workspace
Confidence
91% confidence
Finding
Create a character for OpenClaw (either a world-famous figure or a fictional character), and enable the character to take selfies and photos. config_paths: - ~/.openclaw/ROLES.json - ~/.openclaw/w

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal