clawhub
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Remote Code Execution] (HIGH): The primary purpose of the skill is to download, update, and install executable skill folders from an untrusted source (
clawhub.com). There is no evidence of code signing, hash verification, or sandboxing of the downloaded content, allowing for arbitrary code execution in the agent's environment. - [Indirect Prompt Injection] (HIGH):
- Ingestion points: External skills are ingested into the workspace via
clawhub installandclawhub update(SKILL.md). - Boundary markers: None. The skill documentation does not mention any isolation or verification protocols for the content fetched from the registry.
- Capability inventory: The CLI has the capability to write to the local filesystem (
./skills) and potentially overwrite existing logic which the agent then executes. - Sanitization: No sanitization or safety checks are performed on the downloaded skill metadata or code.
- [Unverifiable Dependencies] (MEDIUM): The skill metadata and instructions require the global installation of the
clawhubnpm package. This package is not from a trusted organization and its source code is not verified in this context. - [Command Execution] (MEDIUM): The skill utilizes shell commands to manage agent capabilities, including global package installation (
npm i -g) and registry operations, which can be exploited if the CLI tool itself contains malicious logic.
Recommendations
- AI detected serious security threats
Audit Metadata