ClawHub
Back to skill

Security audit

openclaw-connect子节点专用skill

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw worker node, but it needs Review because it persistently runs with high authority, exposes unauthenticated local management APIs, stores secrets plainly, and automatically uploads local OpenClaw workspace data to the Hub.

Install only if you trust the Hub operator and intend this machine to be a managed worker that can execute remote tasks and share local OpenClaw workspace data. Before deployment, require HTTPS to the Hub, firewall or reverse-proxy the node UI/API with authentication, run under a dedicated non-root account where possible, lock down .env and node.json permissions, redact config output, and disable or gate task execution and memory/persona syncing if they are not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (10)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly states that node credentials are automatically persisted to ~/.openclaw-node/node.json, but it provides no warning about the sensitivity of APP_KEY and APP_TOKEN or the need to protect file permissions. If that file is readable by other local users, captured in backups, or exposed through host compromise, an attacker could reuse the credentials to impersonate the node or access the Hub.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The task execution section says the node pulls and executes Hub-assigned tasks via local gateway, proxy API, or CLI, but it does not clearly warn that this grants remote task execution capability on the host. In this context, the omission is dangerous because operators may deploy it without understanding that compromise of the Hub, node credentials, or task pipeline could lead to arbitrary command or tool execution on the machine.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The page exposes a live session token in the UI behind a simple show/hide toggle, with no re-authentication, warning, masking controls, or copy restrictions. In the context of a settings page that already displays connection details, this increases the chance of shoulder surfing, screen-share leakage, or accidental disclosure of credentials that may allow unauthorized access to the Hub or related services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes APP_KEY and TOKEN into a plaintext .env file on disk without setting restrictive permissions or warning the user. On multi-user systems, backups, support bundles, accidental file sharing, or permissive directory modes can expose these credentials and allow unauthorized access to the hub or node.

Missing User Warnings

High
Confidence
99% confidence
Finding
The generated management command prints the full .env file, including NODE_APP_KEY and NODE_TOKEN, via the config subcommand. Any operator with access to run this helper can trivially recover credentials, increasing the chance of credential leakage through terminals, logs, screenshots, shell history, or delegated admin access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The node automatically reads local workspace memory files and includes their contents in heartbeat payloads to the Hub, with no consent flow, disclosure, filtering of secrets, or clear opt-in visible in this file. That can exfiltrate sensitive prompts, notes, credentials, or internal data from the local workspace to a remote service whenever the node is connected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code scans local identity, soul, and skills files and sends them to the Hub during agent registration without any visible notice or approval path. Those files can contain personal identity details, behavioral instructions, proprietary workflows, or other sensitive metadata that should not be silently exported.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Hub credentials, app secrets, and session tokens are persisted to disk in a predictable location without any indication of encryption, file permission hardening, or user warning. If the host is multi-user, backed up insecurely, or later compromised, those tokens can be stolen and used to impersonate the node or access Hub resources.

Ssd 3

High
Confidence
96% confidence
Finding
This logic performs automatic collection and transmission of workspace memory content to the Hub as part of the normal heartbeat workflow, making data export implicit and recurring. Because the content is plain-language workspace material, it may contain secrets, personal data, or sensitive operational context, and routine syncing increases both exposure surface and blast radius.

Ssd 3

Medium
Confidence
91% confidence
Finding
The agent-registration path reads local persona and workspace metadata and uploads it upstream, which is a form of silent data export. Even if intended for functionality, it exposes local configuration and behavioral context that may reveal internal processes or sensitive information to the Hub without clear operator awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal