ClawHub

Cloud-Local Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill openly aims to bridge cloud and local machines, but it gives remote parties very broad control over local commands, files, and tokens without enough scoping or safeguards.

Install only if you intentionally want another reachable OpenClaw instance to control this machine. Bind it to localhost or a private tunnel, run it as a low-privilege user, protect and rotate the token, avoid exposing it directly to the internet, and add command/file allowlists plus confirmation before using it on sensitive systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 执行命令
            result = subprocess.run(
                command,
                shell=True,
                capture_output=capture,
Confidence
99% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=capture, text=True, timeout=timeout

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_success(f"{dep} 已安装")
        except ImportError:
            log_info(f"正在安装 {dep}...")
            subprocess.run([sys.executable, '-m', 'pip', 'install', dep], check=True)
            log_success(f"{dep} 安装完成")

def generate_token():
Confidence
88% confidence
Finding
subprocess.run([sys.executable, '-m', 'pip', 'install', dep], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and appears to enable file read/write, network communication, and shell execution, yet declares no permissions. That creates a serious transparency and consent failure: users or hosting systems cannot accurately assess or constrain what the skill can do before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose understates materially dangerous behavior: remote command execution, arbitrary file access, token/address exchange, callback exfiltration to arbitrary URLs, and local service installation/startup. In a cloud-local bridge context, these hidden or underexplained capabilities can directly enable host compromise, data theft, and covert remote control.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The server documentation advertises path-specific POST endpoints, but do_POST ignores the request path and processes any POST body solely based on the JSON action field. This can create security boundary confusion for upstream proxies, API gateways, logging, or ACLs that expect enforcement by URL path, allowing pairing actions to be invoked on unintended routes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The server is explicitly designed to execute arbitrary shell commands received over HTTP, which is a direct remote code execution capability. Even though token auth exists, a leaked token, weak deployment exposure, or unauthorized cloud-side use would allow full compromise of the local host.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The reply_to feature posts command results to an arbitrary URL supplied by the requester, enabling exfiltration of stdout/stderr and potentially sensitive local data returned by executed commands. This also creates an SSRF-style outbound request primitive from the local machine to attacker-chosen destinations.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The status endpoint exposes platform, hostname, and optional CPU, memory, and disk telemetry that can help an attacker fingerprint the host and tailor follow-on attacks. In combination with the bridge's command and file features, this information increases operational value for an attacker beyond basic health checking.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The module description understates the true capabilities of the service, which include unrestricted file read/write and system telemetry in addition to command execution. This mismatch can mislead users and reviewers, causing deployment of a much more powerful and risky service than expected.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This installer adds package-management capability by installing Python packages on the local machine, which expands its effective privileges and attack surface beyond simple bridge runtime logic. In a cloud-to-local bridge skill, host modification is more sensitive because users may run it on trusted local systems expecting communication setup, not environment mutation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The API exposes pairing status and pairing-code existence to any unauthenticated caller. This allows remote enumeration of active pairing attempts, device names, and system activity, which weakens the secrecy of the pairing flow and can aid unauthorized pairing attempts or operational reconnaissance.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The service is described as intended for cloud use, but it binds to 0.0.0.0, exposing the API on all network interfaces by default. In combination with the lack of authentication, this significantly broadens the attack surface and makes the pairing service reachable by unintended hosts on the local network or internet.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, conversational, and overlap with normal user speech such as '连接', '添加设备', or 'pair'. In a messaging-based control surface, this increases the chance of accidental invocation, unintended pairing, or social-engineered activation by an attacker who can induce a user to send common phrases.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description emphasizes convenience and seamless collaboration but does not clearly warn that the skill supports remote command execution and file synchronization. For a bridge between cloud and local environments, omission of these effects undermines informed consent and can lead users to expose sensitive files or execute dangerous actions without understanding the risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples explicitly demonstrate authenticated remote command execution and arbitrary local file reads against a locally hosted bridge, but the surrounding documentation only gives minimal generic safety notes and does not clearly warn about the privacy, integrity, and host-compromise risks. In this skill's context, the bridge is specifically designed to let a cloud component trigger local actions, so normalizing these examples without stronger warnings and access restrictions can lead users to expose powerful control interfaces on their machines.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The download flow writes remote-supplied content to an operator-chosen local path with no path safety checks, and it auto-creates parent directories. In a cloud-to-local bridge context, this increases the danger: a compromised or malicious remote endpoint can cause sensitive local file overwrite if the operator is induced to use unsafe paths, potentially leading to persistence, configuration tampering, or code execution through startup/script locations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The server logs the authentication token in plaintext at startup, which can expose credentials through console history, process supervisors, centralized logging, screenshots, or support bundles. Anyone obtaining the token can invoke the bridge's powerful remote execution and file endpoints.

Missing User Warnings

High
Confidence
98% confidence
Finding
This endpoint runs arbitrary shell commands immediately upon authenticated request without any interactive confirmation, policy enforcement, or safety boundary. Given the bridge runs on a local machine, this permits destructive actions like data theft, malware installation, persistence, or lateral movement.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file endpoint allows authenticated callers to upload arbitrary files and read or download arbitrary local paths with no path restrictions or user confirmation. This enables theft of sensitive files, overwriting user or system files, dropping startup scripts or SSH keys, and other forms of host compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Sending execution results to arbitrary third-party URLs is an outbound data transfer mechanism that users may not expect from a local bridge. Without explicit disclosure and restriction, it can silently leak sensitive output, environment data, and command results to attacker-controlled infrastructure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes a long-lived authentication token into a config file under the user's home directory without warning, consent, or explicit permission hardening. In a bridge that exposes local access to cloud-side components, careless token storage can enable unauthorized local control if the file is read by other users, malware, backups, or logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically running pip install without explicit user confirmation is a meaningful security concern because it performs network-backed code acquisition and host modification. In the context of a cloud-local bridge, this behavior increases the trust burden and could expose the local machine to dependency confusion, malicious packages, or unwanted environment drift.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code automatically captures, stores, and returns bridge server addresses and authentication tokens during pairing without clear consent, scoping, encryption, or any warning to the user. This is dangerous because anyone who obtains a valid 6-digit pairing code within the window can receive the peer's server and token, enabling unauthorized remote access, command execution, or file sync across the bridge.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The download path is derived from remote-provided filenames and written directly to local disk without validation or explicit overwrite safeguards. A malicious or compromised server could cause arbitrary files under the chosen local base to be created or replaced, and path traversal becomes possible if remote_file values are not constrained to stay within the expected subtree.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal