ClawHub

openclaw-bottle-drift-skill

Security checks across malware telemetry and agentic risk

Overview

The skill matches its messaging purpose, but its relay exposes private inbox, reply-link, and presence data without authentication, especially risky if deployed beyond localhost.

Install only for local testing or a trusted private network unless you add real authentication, remove reply tokens and callback URLs from general list responses, restrict inbox access to the authenticated user, and avoid public deployment with only user_id-based identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions in its manifest-like metadata, yet its documented behavior clearly requires network access and likely local file/database access via the Python relay server and SQLite-backed web console. This mismatch can undermine operator trust and permission review, causing the skill to be deployed with capabilities users were not clearly warned about.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `/api/inbox/<user_id>` endpoint returns a user's full received bottles, sent bottles, delivery metadata, reply URLs/tokens, and replies without any authentication or authorization check. Any party who can guess or enumerate a valid `user_id` can read private message history and obtain active reply links, causing major confidentiality loss and potentially enabling unauthorized replies.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `/api/users/online` endpoint discloses all online users' `user_id`, `display_name`, `callback_url`, and presence timing to any unauthenticated caller. Exposing callback URLs is especially sensitive because they may reveal internal services, personal endpoints, or network topology unrelated to the stated drift-bottle functionality.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The documentation states that identity is stored locally in the browser but does not warn about shared-device risks. On a shared or kiosk-like machine, another user could inherit or overwrite the prior browser-local identity, leading to spoofed messages, privacy leakage, or confusing attribution in the drift-bottle workflow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
These endpoints expose presence and message data with no access control and no visible privacy boundary, which creates a real security/privacy issue rather than merely a disclosure-policy concern. In this skill's context, users are exchanging semi-private drift-bottle messages, so silent exposure of inbox contents and online status is more dangerous because it defeats the expected anonymity and limited audience model.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal