ClawHub

xihe-jianmu-ipc

Security checks across malware telemetry and agentic risk

Overview

This skill is a real IPC hub, but it also exposes powerful agent-spawning and tool-tampering behavior that users should review before installing.

Install only if you intentionally want a multi-agent IPC hub that can route prompts between sessions, expose a local HTTP/WebSocket service, and launch additional Claude sessions. Set IPC_AUTH_TOKEN, keep the hub bound to trusted interfaces only, avoid sending secrets over IPC, and do not use ipc_spawn or the channel patching flow unless you accept the risks of dangerous Claude flags and persistent modification of a global Claude Code installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (30)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This script directly modifies a third-party CLI installation to bypass a built-in safety/control check, replacing a conditional gate with an unconditional true branch. That behavior is unrelated to the stated IPC routing purpose and weakens trust boundaries in the host tool, creating a high-risk supply-chain style modification that can enable unsafe channel loading without the original protections.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The comment claims the script only suppresses a warning dialog, but the actual replacement changes an access-token-related conditional to always pass. This mismatch is dangerous because it conceals the real security effect from reviewers and users, potentially bypassing authorization or safety gating rather than just reducing UI friction.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The exposed tool surface includes ipc_spawn, which materially exceeds the stated role of a message-routing IPC server by creating new Claude sessions and terminal windows. Capability mismatch is dangerous because users and host systems may grant trust based on the manifest, while the code can initiate additional agent execution paths and local process activity.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code can spawn background subprocesses and interactive terminal sessions that run Claude with dangerous flags, creating an agent-launching primitive far beyond simple IPC. In a skill advertised as a communication hub, this broadens the attack surface significantly: untrusted instructions can be delegated to newly created agents with reduced safeguards, enabling persistence, lateral tasking, or unsafe local actions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Autostarting the local hub adds covert process-management behavior not obvious from the MCP server's declared communication role. While less severe than arbitrary spawning, it still creates an unexpected local execution path and can silently establish infrastructure that users did not intend to run.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script intentionally modifies Claude Code's installed CLI to replace a security-relevant conditional with `if(true)`, bypassing the development-channel warning and apparent access-token gate. That is not necessary for an IPC routing skill and directly weakens another tool's built-in safety and authorization controls, making the surrounding skill context more dangerous rather than less.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script executes `npm root -g` and then overwrites a globally installed third-party package file, giving the skill the ability to tamper with software outside its own directory. For a skill described as a lightweight IPC hub, modifying external global installations is unjustified and creates a persistent integrity compromise that can affect future Claude Code runs.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments describe the change as merely skipping a warning dialog, but the actual replacement forces a check to always pass, likely bypassing both a warning flow and an access-token/authentication condition. This mismatch obscures the real security effect of the script and increases the chance a user will run a far more dangerous modification than advertised.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The hub includes an outbound OpenClaw adapter that forwards message content to an external HTTP API, which materially expands the trust boundary beyond a local message router. In this skill context, that creates a real data-exfiltration and unintended side-effect risk: any routed message addressed to an OpenClaw-like session name can cause hub-held content to be sent to another service, potentially with credentials and without strong sender authorization controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module reads OPENCLAW_TOKEN and uses it to invoke an external model API, despite the skill being described as a lightweight IPC hub. In context, this is dangerous because a broadly reachable messaging hub with optional disabled auth can become a credential-backed proxy for external API calls, enabling unauthorized use of privileged integrations and exfiltration of routed content to third-party services.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements `ipc_spawn`, which can launch new Claude sessions and terminal windows even though the skill is described as a lightweight IPC/message-routing hub. That expands the trust boundary from messaging into local process execution, enabling an upstream prompt or remote IPC peer to cause local agent proliferation and execution workflows that are unrelated to core routing.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can spawn local `claude` processes, background jobs, and interactive terminals from tool input, which is a powerful capability not justified by a messaging hub. In practice this lets untrusted tool callers turn the skill into a local execution/orchestration primitive, increasing the chance of abuse, persistence, and unintended autonomous activity.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The interactive spawn path hard-codes `--dangerously-skip-permissions` and `--dangerously-load-development-channels`, and even runs a patch script to suppress warnings before launching Claude. These flags intentionally weaken safety controls, so any spawned session is created in a less-restricted state that is much easier for prompts or IPC messages to abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic message delivery, buffering, and idle-session wake-up behavior, but it does not prominently warn users that prompts and message contents may be transmitted across local network services, buffered in memory, and surfaced asynchronously to other AI sessions. In an AI-agent coordination tool, this omission can cause users to send sensitive code, secrets, or operational data under the mistaken assumption that communication is purely local or manually controlled.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section explicitly states that messages addressed to an OpenClaw session are forwarded to an external gateway via POST /v1/chat/completions, yet it lacks a direct warning that message contents leave the hub and are submitted to another service for model processing. That creates a meaningful confidentiality risk because users may unknowingly route source code, credentials, or incident data into an external AI endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script executes a shell command to locate the global npm root and then silently rewrites another package's installed cli.js file with no strong user warning or integrity check. Even though the command itself is simple, the overall pattern normalizes hidden modification of external tooling and makes the environment harder to audit, rollback, and trust.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code forwards received IPC messages to an arbitrary external URL from the IPC_CHANNEL_URL environment variable with no validation, allowlist, consent flow, or transport security enforcement. Because message contents may contain sensitive cross-agent data, this creates a real exfiltration channel and can leak prompts, outputs, tokens, or other internal information to unintended destinations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The OpenClaw adapter forwards message content to an external HTTP service, potentially including sensitive prompts, tokens, or internal data, without clear user-facing disclosure or consent. In the context of an IPC hub that routes messages between AI agents and tools, this creates a real confidentiality risk because messages expected to stay local may be transmitted to another service based only on recipient naming/routing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code launches Claude subprocesses with --dangerously-skip-permissions and, in interactive mode, --dangerously-load-development-channels, without any warning, consent, or narrowing of what those sessions may do. This weakens runtime protections exactly where the skill is already creating delegated agent sessions, increasing the chance that unsafe or attacker-influenced prompts lead to harmful local actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes forwarding user message content between AI sessions and into an OpenClaw gateway, but it does not clearly warn users that prompts, code, secrets, or other sensitive context may be transmitted across processes and services. In a multi-agent tool, that omission can cause accidental data exposure because users may assume communication remains local to a single session when it is actually being routed and replayed elsewhere.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly enables broad cross-session discovery and message routing (`ipc_sessions`, `ipc_send` to named peers or `*`) but provides no guardrails about exposing session identities, sharing sensitive task context, or broadcasting private data. In a multi-agent environment, this can lead to unintended disclosure of prompts, filenames, operational state, or other sensitive metadata to other connected clients.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The rule instructing the agent to 'read [incoming IPC messages] carefully and act on the request' effectively treats messages from other sessions as trusted commands. Because IPC peers are external inputs that may be compromised, spoofed, or simply misaligned with user intent, this creates a confused-deputy/prompt-injection path where an attacker can steer the agent into performing unauthorized actions or exfiltrating information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an in-place overwrite of Claude Code's `cli.js` with no backup, consent flow, rollback mechanism, or explicit warning about the security and stability consequences. Silent modification of third-party installed code reduces user awareness and makes it harder to detect or recover from tampering.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Incoming WebSocket message content is forwarded verbatim to an externally configured HTTP endpoint via IPC_CHANNEL_URL. In an IPC bridge skill whose purpose is cross-AI message routing this behavior is expected, but it still creates a real data-exposure risk because potentially sensitive prompts, responses, or identifiers can be sent off-host without meaningful consent gating, destination validation, or content filtering beyond stderr logging.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code appends the auth token to the WebSocket query string and then logs the full URL with `connecting to hub at ${url}`, which exposes credential material in process logs. Query-string tokens are also more likely to leak via logs, diagnostics, proxies, and monitoring systems than header-based authentication.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal