ClawHub

Openclaw Devboxes Skill

Security checks across malware telemetry and agentic risk

Overview

This devbox skill appears purpose-built for container infrastructure, but it asks for host-level control and includes unsafe setup guidance that users should review carefully.

Install only if you intentionally want an agent to manage Docker-backed devboxes and related Cloudflare/GitHub infrastructure. Do not follow world-writable Docker socket or host-path chmod guidance on a shared or sensitive machine, use least-privilege scoped tokens, rotate any credentials provided, and avoid exposing the IDE/browser service unless it is behind authentication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill performs shell execution and file writes but does not declare permissions, reducing transparency and defeating least-privilege review. In this skill, those capabilities are central to modifying OpenClaw config, Docker state, and local files, so the mismatch materially increases risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description understates materially sensitive behaviors: browser automation exposure, CDP access, host Docker control, and Cloudflare DNS/tunnel registration. This can cause operators to invoke the skill under the assumption it only manages devboxes, when it also alters network exposure and external infrastructure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The onboarding flow requires direct access to the host Docker socket and modifies parent platform configuration, which exceeds ordinary container lifecycle management. Granting an agent these capabilities effectively gives control over the host container environment and can lead to container breakout-equivalent administrative power.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill collects reusable GitHub and Cloudflare credentials and persists them into configuration/environment for future use. Long-lived secrets broaden blast radius if the agent, logs, config store, or spawned devboxes are compromised.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The onboarding changes global agent topology, default agent behavior, sandbox settings, and inter-agent communication. Those are platform-wide security boundary changes, not merely devbox setup, and can weaken isolation for unrelated tasks.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README explicitly instructs users to run `chmod 666 /var/run/docker.sock`, making the Docker daemon accessible to any local user or process. Access to the Docker socket is effectively root-equivalent on the host, so world-writable permissions create a severe host-compromise path far beyond normal devbox functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README directs the agent to store Cloudflare API and tunnel credentials in agent configuration without clear guidance on secret handling, access controls, or minimization. In this skill context, those credentials can modify DNS and tunnels for a live domain, so exposure could enable traffic interception, service impersonation, or infrastructure disruption.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger language is broad enough to match routine development or environment-help requests, causing accidental activation of a highly privileged skill. Because this skill can alter Docker, routing, and platform config, mistaken invocation materially increases risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill directs collection of sensitive GitHub and Cloudflare tokens without an explicit warning about confidentiality, storage, reuse, and scope. Users may provide overprivileged credentials without understanding that they may be embedded into config or exposed to spawned environments.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions recommend weakening host permissions on the Docker socket and bind-mounted paths (`chmod 666` / `chmod 777`) without prominent safety warnings. These changes can grant broad write access to highly sensitive resources, enabling host compromise, container control, or tampering by unintended processes.

Missing User Warnings

High
Confidence
98% confidence
Finding
This is a real vulnerability: OpenVSCode Server is launched with `--host 0.0.0.0` and `--without-connection-token`, which disables its built-in authentication while binding it to all interfaces. In the context of a devbox manager that exposes services over web routing infrastructure, this can allow any reachable client to access the IDE, read and modify source code, execute terminal commands, and potentially steal secrets from the container or connected development environment.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| ------------------------------ | --------------------- | --------------------------------------------- |
| `/home/node/.openclaw/traefik` | `/traefik`            | Route configs (only if using Traefik routing) |

**Important:** Due to OpenClaw Security measures, all user capabilites are dropped by default. So even root (in the devbox) has no write access to bind mounts, and can only read from them. The only solution currently is `chmod 777` on the host path that is mapped to `/home/node/.openclaw/traefik`.

### Known Paths
Confidence
95% confidence
Finding
chmod 777

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| ------------------------------ | --------------------- | --------------------------------------------- |
| `/home/node/.openclaw/traefik` | `/traefik`            | Route configs (only if using Traefik routing) |

**Important:** Due to OpenClaw Security measures, all user capabilites are dropped by default. So even root (in the devbox) has no write access to bind mounts, and can only read from them. The only solution currently is `chmod 777` on the host path that is mapped to `/home/node/.openclaw/traefik`.

### Known Paths
Confidence
96% confidence
Finding
chmod 777` on the host path that is mapped to `/home/node/.openclaw/traefik`. ### Known Paths These paths are always the same inside the OpenClaw container: - **OpenClaw data:** `/home/node/.opencl

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal