ClawHub

Openclaw langsmith

Security checks across malware telemetry and agentic risk

Overview

This is a real LangSmith observability plugin, but it broadly sends full agent prompts, responses, histories, and tool data to an external service with limited privacy controls.

Review this before installing. Use it only if you are comfortable sending full agent conversations, tool inputs/outputs, and memory-related LLM prompts to LangSmith or another configured endpoint. Avoid it for regulated, confidential, customer, credential-bearing, or proprietary workloads unless you add redaction/minimization controls and confirm LangSmith retention and access policies. Treat the unsafe-install override and fork/provenance mismatch as reasons to inspect the source and pin the exact artifact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This tracer is intentionally designed to capture and forward rich conversational telemetry, including prompts, message history, tool inputs, and model outputs. In a security review, that is still a real data-exposure risk because these fields can contain secrets, personal data, credentials, or other sensitive tenant content, and the file applies only limited sanitization for a specific metadata block rather than general redaction/minimization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that agent turns, tool calls, prompts, responses, token usage, and metadata are transmitted to LangSmith, but it does not present a prominent privacy warning or data-handling caveat. In an agent/plugin context, these traces can contain secrets, personal data, internal prompts, and message content, so enabling this feature without strong disclosure materially increases the risk of unintended data exfiltration to a third-party service.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README says Engram LLM traces include full prompt text and full output text with no truncation, which significantly raises the chance that secrets, memory contents, personal data, or proprietary context will be sent to LangSmith. Because memory/extraction pipelines often handle especially sensitive context, the absence of a prominent warning and safeguards makes this a real privacy/security issue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This plugin captures and exports highly sensitive runtime data to an external LangSmith endpoint, including prompts, message history, tool parameters, tool results, and LLM outputs. In an agent setting, those fields can contain secrets, personal data, internal documents, or credentials, and this file does not implement consent, redaction, minimization, or clear disclosure before exfiltrating that data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This plugin forwards highly sensitive agent data to an external LangSmith endpoint, including prompts, system prompts, message history, assistant outputs, tool parameters/results, session identifiers, and metadata. In an agent runtime, that data can contain secrets, personal data, internal documents, and untrusted conversation context; without explicit consent, minimization, or redaction controls, this creates a real data-exfiltration and privacy risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest enables tracing of agent turns, tool calls, and LLM activity to a third-party LangSmith endpoint, but provides no user-facing notice, consent mechanism, or indication of what data may be transmitted. In an agent context, traces can contain prompts, tool inputs/outputs, and potentially sensitive user or system data, so silent telemetry creates a real privacy and data-leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This plugin captures and forwards prompts, full message histories, tool parameters/results, and LLM trace events to an external LangSmith service whenever an API key is configured. In an agent/plugin context, those payloads can contain sensitive user data, secrets, file contents, or tool outputs, and this file provides no consent gate, redaction, or minimization before transmission, creating a real data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends full interaction content to an external LangSmith client via createRun/updateRun, but there is no evidence in this file of consent, disclosure, or gating before exporting that data. Even if meant for observability, silent third-party transmission of prompts, chat history, tool parameters, and assistant responses can violate privacy expectations and expand the blast radius of any downstream compromise or misconfiguration.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal