Back to skill

Security audit

Glance

Security checks across malware telemetry and agentic risk

Overview

Glance appears to be a legitimate dashboard skill, but it gives the agent broad ongoing authority over local commands, stored credentials, scheduled refreshes, and imported widget instructions.

Install only if you intentionally want OpenClaw to manage a local dashboard with recurring refresh jobs, stored credentials, and possible local command or CLI use. Prefer a verified/manual install over curl-to-bash, keep Glance local or behind strong auth, review imported widgets and fetch.instructions before enabling refresh schedules, and use least-privilege tokens you can revoke.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README documents an endpoint that executes widget server code (`POST /api/widgets/:slug/execute`) even though the skill is framed as a dashboard/widget manager. In an agent-integrated system where widgets may be created from natural language or imported packages, this materially expands scope into arbitrary code execution and creates a dangerous trust boundary if untrusted widget definitions can reach that endpoint.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill documents storing credentials and proxying third-party API calls, which significantly broadens capability beyond simple dashboard rendering. Combined with agent-managed widget creation, this can enable secret aggregation, unauthorized API use, and SSRF/data exfiltration risks if proxy destinations, credential binding, or widget logic are not strictly constrained.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This section explicitly instructs the agent to use broad local execution primitives such as exec, PTY, browser automation, and API access as part of normal skill operation. For a widget-management skill, that materially expands capability from scoped dashboard configuration into general-purpose host interaction, increasing the risk of arbitrary command execution, local data access, and abuse via malicious widget instructions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The agent_refresh contract turns the skill into an orchestration framework: it tells the agent to register cron jobs, query a local database for instructions, spawn subagents, and execute arbitrary collection workflows. Because fetch.instructions is treated as the source of truth, any malicious or unsafe widget definition could drive recurring, semi-autonomous actions on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This section expands the skill from dashboard/widget management into agent-side credential checks and local software access on the OpenClaw host. That materially increases the trust boundary: a widget-management skill can now cause the agent to inspect local tooling state and rely on host-side auth, which can be abused to probe the environment or trigger actions outside the expected Glance API scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The agent-refresh design instructs the agent to spawn subagents and execute local shell commands based on widget-defined instructions stored in the database/package. Because widget packages are portable/shareable and their instructions become the 'single source of truth,' importing a malicious widget can turn a dashboard feature into a general local-command execution channel on the agent machine.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is very broad (`add something to their dashboard`, `show metrics/stats`, `display API data`, `monitor usage`) and overlaps with common user requests. In an agent ecosystem, overly broad activation can cause the skill to engage unexpectedly, leading the agent to store credentials, create widgets, or invoke sensitive APIs when the user may have intended a different tool or a non-persistent action.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README promotes free-form natural-language widget requests without clear boundaries on what the agent may build or what operations are considered safe. This ambiguity increases the chance that normal conversational requests are interpreted as permission to create code-backed widgets, connect third-party services, or persist data unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that the agent already knows the user's API keys and can store them in Glance, but it does not present a strong warning or explicit consent requirement for handling sensitive secrets. In practice, this normalizes silent secret movement between systems, increasing the risk of unintended credential persistence, overbroad reuse, and compromise through downstream widget/proxy features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents destructive dashboard actions such as widget deletion and bulk layout changes without any guidance to obtain user confirmation or warn about side effects. In an agent setting, this increases the chance that a model will perform irreversible or unwanted state changes from ambiguous prompts, causing loss of user configuration or disruption of monitoring views.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger guidance includes broad phrases like generic dashboard/status/update requests that overlap with ordinary conversation. In an agentic system, that can cause unintended invocation of a powerful skill that reads dashboard contents, handles credentials, creates widgets, or performs follow-on actions the user did not explicitly request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The prompt examples reinforce ambiguous activators such as 'what needs my attention' and 'give me a status update,' which are common conversational phrases. This increases the chance the skill is selected in contexts where the user wanted a general assistant response, not access to dashboard data or widget operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells the agent to solicit and accept secrets pasted directly into chat, then store them, without strong warnings or safer alternatives. Collecting API tokens in conversational channels increases the chance of accidental exposure through logs, transcript retention, model context reuse, screenshots, or user misunderstanding about sensitivity.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
---

### DELETE /api/dashboard/:instanceId

Remove a widget from the dashboard.
Confidence
90% confidence
Finding
DELETE /api/dashboard/:instanceId

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.