ClawHub

agent- manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to manage OpenClaw agents, but it needs review because it can change local OpenClaw configuration and expose or store Feishu bot secrets without strong safeguards.

Install only if you want this skill to administer OpenClaw agents and Feishu bot bindings on your machine. Use simple slug-style Agent IDs, prefer authenticated pairing for private bots, avoid running the Feishu authorization flow in logged or shared terminals, back up ~/.openclaw/openclaw.json before use, and rotate any Feishu secret that may have been printed or captured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to tell the user that the new agent's `.git` directory was automatically cleaned, but no preceding documented step explicitly performs or validates that cleanup. This creates a mismatch between claimed and actual destructive behavior, which can mislead users about repository state and normalize silent deletion of version-control metadata in a workspace-management skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README describes a highly privileged skill that can create agents, configure workspaces, and perform external service binding directly from broad natural-language prompts. Without clear activation boundaries, authorization checks, or constrained command formats, ordinary conversation could unintentionally trigger sensitive administrative actions or be abused through prompt injection and social engineering.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example phrase is common conversational language and maps directly to privileged behavior, including creating a new agent and binding Feishu access. Because the trigger overlaps with normal user requests, a model could misinterpret routine text as an instruction to perform sensitive actions, increasing the risk of accidental execution or adversarial prompt steering.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles Feishu `app_secret` values and directs execution of shell commands that generate and retrieve credentials, but provides no warnings about secret sensitivity, logging exposure, terminal history, or operational side effects. In a credential-provisioning workflow, missing safeguards can expose bot credentials to chat transcripts, command output, or downstream tooling, enabling unauthorized bot control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow states that `.git` cleanup is performed automatically but does not warn users beforehand that version-control metadata may be removed from the new agent workspace. Deleting `.git` changes project provenance, history, and recovery options, so omitting a clear warning can lead to unintended data loss or loss of auditability.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the returned App ID and especially the App Secret directly to stdout, which can expose credentials through terminal history, shell logging, CI logs, remote session capture, or process supervision logs. In an agent or automation context, stdout is commonly collected and persisted, making secret disclosure substantially more dangerous.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script stores Feishu app credentials in plaintext in ~/.openclaw/openclaw.json without checking file permissions, warning the user, or using a secret store. If the local account, backups, logs, or shared filesystem are exposed, these credentials could be recovered and used to impersonate the bot or access associated services.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The script reads a user configuration file and prints account IDs, app IDs, and agent bindings directly to stdout. While these values are not necessarily secrets, exposing internal identifiers and account-to-agent mappings can leak operational metadata into terminals, logs, CI output, or shared shells, increasing reconnaissance value for an attacker.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal