ClawHub

Glance

Security checks across malware telemetry and agentic risk

Overview

Glance appears to be a real dashboard skill, but it asks the agent for broad ongoing authority over local commands, credentials, scheduled refreshes, and imported widget instructions.

Install only if you intentionally want OpenClaw to manage a local dashboard with ongoing refresh jobs, stored credentials, and possible local command or CLI use. Prefer manual or verified installation over curl-to-bash, keep Glance bound to localhost or behind strong auth, review imported widgets and fetch.instructions before enabling cron, avoid pasting broad tokens into chat, and use least-privilege credentials you can revoke.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as dashboard widget management, but these sections expand it into a general-purpose operator that collects arbitrary data and performs execution workflows. That scope expansion is dangerous because it can justify broad tool use under an innocuous activation surface, increasing the chance the agent is induced to run unrelated or sensitive tasks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section explicitly instructs the agent to use PTY, exec, browser automation, API access, and subagents for arbitrary data collection and refresh handling. That grants a widget skill broad operational authority beyond its declared purpose, creating a strong path to command execution, data exfiltration, and misuse of ambient credentials if a widget definition or refresh instruction is adversarial.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
By declaring local CLI tools and interactive terminals as supported capabilities, the skill normalizes privileged local execution for routine widget work. That materially increases risk because any malicious or malformed widget instructions can pivot into shell access or sensitive local inspection under the guise of refresh behavior.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documentation expands a dashboard/widget-management skill into agent-side credential and local software execution territory, including commands like `gh auth status` and machine-resident tooling checks. That materially increases the trust boundary and can cause an agent to inspect or depend on host machine state unrelated to simple widget CRUD, creating a path to unintended local access and command execution.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `agent_refresh` workflow explicitly instructs the agent to process refresh events by looking up instructions, spawning a subagent, and running local commands or external API collection steps. For a widget-management skill, this is an unjustified expansion into generalized task execution and creates a dangerous bridge from remote widget definitions to host-side behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README encourages invocation with broad natural-language phrases like "show me my GitHub PRs" and "what needs my attention?" without defining clear trigger boundaries or requiring explicit confirmation for side-effecting actions. In an agent skill, ambiguous phrases can cause unintended activation and lead to dashboard modification, API calls, or credential handling when the user may have only been asking a general question.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that OpenClaw may take existing API keys from its memory and store them in Glance's credential database, but the user-facing description does not prominently warn that natural-language requests can trigger credential storage. This creates a consent and secret-handling risk because users may invoke the skill casually without realizing sensitive credentials will be persisted in another local system.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation phrases are broad enough to match many ordinary dashboard, metrics, and API-data requests, which can cause the skill to trigger in situations beyond the user's intended scope. Overbroad invocation is dangerous here because the skill contains high-authority behaviors, so accidental activation can lead to unnecessary access to local tools, credentials, or networked systems.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation tells operators to configure auth-related environment variables and tokens but does not pair that with clear warnings about credential sensitivity, least privilege, or storage hygiene. In a skill that also uses network access and automation, this omission increases the chance of unsafe token handling or over-privileged credential reuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly documents that local requests with an Origin header bypass Bearer-token authentication. This weakens the authentication model and can let local or same-host processes interact with protected widget APIs without a real credential, which is especially dangerous because the APIs support cache updates and potentially execution-triggering behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes destructive dashboard actions such as widget deletion and bulk layout replacement without warning that these operations can remove user-visible content or significantly alter a user's interface state. In an agent skill context, lack of explicit guardrails can cause an LLM-driven agent to perform irreversible or disruptive actions based on ambiguous prompts, making accidental misuse more likely.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger phrases like generic dashboard/status requests can cause the skill to activate when the user did not intend widget operations. In an agentic environment with write/delete capabilities, overbroad activation increases the chance of unintended actions against dashboard state or related data sources.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Examples like 'What needs my attention?' and 'Give me a status update' are everyday phrases that can spuriously route unrelated conversations into this skill. Because the skill can read dashboards, credentials status, and perform widget operations, accidental invocation broadens exposure and may lead to unintended data access or mutations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to have users paste sensitive API tokens directly into chat and then store them, without strong warning about secret-handling risks or safer alternatives. Chat channels are often logged, retained, or visible to intermediaries, so encouraging direct secret submission increases the risk of credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The integration guide again normalizes collecting API tokens via conversational messages, which conditions the agent to solicit secrets in-band. This is dangerous because it turns a chat interface into a credential collection surface without clear assurances around storage, visibility, or redaction.

External Script Fetching

High
Category
Supply Chain
Content
#### Option A: One-Line Install (Recommended)

```bash
curl -fsSL https://openglance.dev/install.sh | bash
```

This will:
Confidence
98% confidence
Finding
curl -fsSL https://openglance.dev/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
#### Option A: One-Line Install (Recommended)

```bash
curl -fsSL https://openglance.dev/install.sh | bash
```

This will:
Confidence
97% confidence
Finding
| bash

Tool Parameter Abuse

High
Category
Tool Misuse
Content
---

### DELETE /api/dashboard/:instanceId

Remove a widget from the dashboard.
Confidence
95% confidence
Finding
DELETE /api/dashboard/:instanceId

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal