ClawHub

Update Scout

Security checks across malware telemetry and agentic risk

Overview

This update-monitoring skill is disclosed and purpose-aligned, but users should only add trusted version-check commands because it can run them locally.

Install only if you are comfortable with a helper that can run configured local version-check commands and read local skill metadata for health checks. Keep watchlist entries limited to trusted commands such as tool --version, review ~/.config/scout/watchlist.json before using scheduled checks, and ask to see exact upgrade or restart commands before approving any update.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill invokes local scripts that read and write files, use the network, inspect environment context, and can execute shell commands, yet it declares no permissions or capability boundaries. This creates a trust gap: users and policy systems cannot accurately understand or constrain what the skill may do, increasing the chance of unintended file access, external requests, or command execution during normal use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is update tracking for GitHub-released tools, but the skill also includes a self-review capability that scans local skills directories, reads SKILL.md files, and fetches external guidance from GitHub. That expands the skill into local content inspection and unrelated network activity, which can expose sensitive prompt/configuration data and violates the principle of least surprise for users approving an update-monitoring tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented `command` detect type allows the skill to run arbitrary shell commands from watchlist configuration, which expands its capability from passive version checking into general command execution. In an update-tracking skill, that creates a meaningful abuse path if a watchlist entry is maliciously added or modified, because command execution occurs under the user's privileges during routine checks.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The CLI instructions actively encourage users to register tools via `--detect-type command` and pass a free-form command string, normalizing arbitrary command execution as part of normal operation. This makes the prior capability easier to adopt and harder to notice as risky, increasing the chance that unsafe commands enter the watchlist and run during scheduled monitoring.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The watchlist configuration supports a "command" detection type and accepts either a list or a string that is split and executed locally. Because the watchlist is user-editable and could be supplied by an agent or untrusted source, a crafted config can cause arbitrary local program execution whenever update checks run, which is especially risky in an automation skill that may process external tool recommendations.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script's documented behavior is to review local OpenClaw skills for structural issues, which does not match the scout skill's declared purpose of monitoring GitHub releases and update risk. This kind of scope mismatch is dangerous because it grants users and the agent a local inspection capability they would not reasonably expect from the manifest, increasing the chance of unintended access to workspace content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script walks an arbitrary skills directory, reads SKILL.md files, recursively scans for additional files, and reports on their contents. In the context of a release-tracking skill, this broader local file-inspection capability is unjustified and expands the trust boundary, making the skill more dangerous because users may invoke it expecting remote release analysis rather than local workspace enumeration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal