openclaw-bottle-drift

Security checks across malware telemetry and agentic risk

Overview

The skill fits its messaging purpose, but anyone who can reach the relay can view other users’ inbox data, reply links, and callback URLs.

Install only for localhost or a tightly trusted network unless you add real login, per-user authorization, HTTPS, and retention controls. Do not expose the relay publicly as shipped, and avoid entering sensitive callback URLs or private messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The server exposes `/api/users/online` and `/api/inbox/<user_id>` without any authentication or authorization checks. An unauthenticated requester can enumerate online users, read private bottle contents, obtain reply URLs/tokens, and view received replies for arbitrary user IDs, which is a direct confidentiality breach and can also enable unauthorized reply submission via exposed tokens.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The application stores `callback_url` for each user and returns it in the online user listing, even though this file does not use it to implement bottle delivery. Collecting and disclosing unnecessary URLs increases privacy exposure and may leak internal service endpoints, localhost addresses, webhook secrets embedded in URLs, or other sensitive infrastructure details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal