ClawHub

ctct-security-patrol

Security checks across malware telemetry and agentic risk

Overview

This is a mostly legitimate security-audit skill, but it creates and stores a persistent device ID in local mode despite saying that only happens in upload mode.

Install only if you want a broad local security audit and are comfortable with sensitive reports and baselines under ~/.openclaw. Prefer local mode, avoid --push unless you trust auth.ctct.cn and accept device fingerprinting, and treat the script integrity hash as stale until the publisher fixes it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares `credentials: none` and no permissions, but the content explicitly instructs running shell commands and accessing environment/system state. This creates a transparency and consent problem: operators may approve the skill assuming minimal privileges while it actually performs host inspection and command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as a security audit tool, but the documented behavior is materially broader: persistent device ID creation, baseline state mutation, workspace content scanning, network/process enumeration, and optional remote upload. Even if some of this is described elsewhere, the mismatch increases the chance of uninformed consent and unexpected collection/persistence of sensitive host data.

Scope Creep

High
Confidence
95% confidence
Finding
The baseline generation mode explicitly hashes highly sensitive files including /etc/shadow, /etc/passwd, and SSH key authorization files. Even though the script does not upload file contents directly, reading /etc/shadow exceeds the declared scope and creates unnecessary access to credential material; the resulting hashes and mere successful access can also expose privileged reach and normalize overbroad collection.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
In push mode, the code sends X-MAC and X-HOSTNAME headers along with timestamp/nonce/signature, which goes beyond a plain 'summary data upload' claim. This leaks stable host identifiers to the remote service and enables device correlation and tracking, especially when combined with the persisted agent ID.

Scope Creep

Medium
Confidence
86% confidence
Finding
The push-mode threat-intel request uploads per-skill metadata including slug, author, version, and ownerId for all installed skills. That exceeds a narrow 'summary' upload and reveals the user's installed component inventory and associated ownership metadata to a third party.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are extremely broad (`安全检查`, `巡检`, `system security`, etc.), making accidental invocation likely during ordinary conversation. For a skill that reads sensitive host information, writes reports, and can configure persistence, unintended activation materially raises risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Although push mode is flag-gated, the script performs telemetry transmission once --push is present without an active, runtime user-facing confirmation describing the exact identifiers and audit fields being sent. In an agent skill context, command invocation may be indirect, so relying only on a CLI flag is weaker than explicit just-in-time consent.

Session Persistence

Medium
Category
Rogue Agent
Content
**关于定时任务的硬性要求**:
- 必须使用 `openclaw cron add` 命令
- 禁止使用系统 crontab(`crontab -e` 等)
- 原因:系统 crontab 无法正确初始化 OpenClaw 环境,会导致执行失败
- ⚠️ 基础设施绑定说明:使用 `openclaw cron` 会将定时执行与 openclaw 基础设施绑定;如不希望依赖此基础设施,可不设置定时任务,改为手动执行
- **cron 命令中严禁添加 `--push` 参数**:定时任务只以本地离线模式运行,绝不自动向远端上报设备标识
Confidence
93% confidence
Finding
crontab -e

VirusTotal

1/62 vendors flagged this skill as malicious, and 61/62 flagged it as clean.

View on VirusTotal