ClawHub

OpenClaw Theme Patcher

Security checks across malware telemetry and agentic risk

Overview

This skill openly helps modify local OpenClaw UI theme files and does not show hidden data theft, destructive behavior, or automatic persistence.

Install only if you are comfortable with an agent editing your installed OpenClaw UI bundles. Keep backups, confirm the active OpenClaw path before patching, use trusted simple theme IDs, and be prepared to restore the original JS/CSS if the UI breaks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to read, modify, and overwrite live installed frontend bundles and to run shell commands, yet it declares no permissions. That mismatch hides powerful capabilities from whatever approval or policy layer is supposed to govern file and shell access, increasing the chance of unauthorized or unsafe modifications to a live installation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script writes the full installed JS and CSS bundles to the backup directory, even though its stated purpose is to back up a specific theme. Bundled frontend assets often contain more than theme data, including proprietary code, embedded configuration, endpoints, feature flags, and other customizations; copying all of it broadens data exposure and creates unnecessary retention of sensitive application internals.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script launches bash -lc to run which openclaw and then readlink -f on the result, unnecessarily invoking a shell for installation discovery. Because bash -lc resolves commands using the caller's environment and PATH, a manipulated environment or aliased/shadowed binary could misdirect the script to an attacker-controlled location, causing it to read and back up arbitrary files under a forged installation path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file explicitly instructs the agent to modify live installed frontend bundles under dist/control-ui/assets, but it does not lead with a clear warning that these are active application files whose integrity, upgradeability, and availability may be affected. In an agent context, this increases the chance of unreviewed in-place production changes, accidental corruption of minified assets, and difficult rollback if the patch is wrong.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal