ClawHub

ClawChat - P2P Agent Communication

Security checks across malware telemetry and agentic risk

Overview

ClawChat appears to be a real P2P agent-messaging tool, but it needs Review because remote messages can trigger local OpenClaw wake events and the docs/defaults under-scope network, persistence, and secret-handling risks.

Install only if you intend to run a network-reachable P2P daemon for trusted agents. Before use, disable or tightly scope OpenClaw wake, replace wildcard peer ACLs with explicit trusted principals, use password files or a secret manager, avoid command-line mnemonics/passwords, and do not copy the poll/path or nohup examples without hardening them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented OpenClaw integration causes incoming chat content to trigger a local `openclaw system event`, extending the skill from messaging into local event/action triggering. Even if this is intended functionality, it creates a trust boundary crossing where remote peers can influence local agent behavior, and priority prefixes like `URGENT:` can force immediate wake behavior.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script trusts a file path embedded in an incoming ClawChat message and then reads and overwrites that path with the agent's privileges. An attacker who can send or spoof a DINNER_POLL_ACTIVE message could point POLL_FILE at any writable file, causing unauthorized file modification or corruption outside the intended shared poll location.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code advertises a Noise XX-like handshake but omits a core security property: static public keys are sent in cleartext instead of being encrypted under handshake traffic keys. This leaks peer identity to passive observers, weakens privacy guarantees compared to actual Noise XX, and can cause developers to rely on stronger protections than the implementation really provides.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code derives a temporary handshake key but never uses it, while the responder and initiator exchange static public keys in the clear. In context, this makes the protocol materially less private than expected and indicates an incomplete custom cryptographic design, which is dangerous because callers may assume handshake confidentiality and Noise-style identity protection that do not actually exist.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The daemon executes a host subprocess (`openclaw system event`) based on inbound network message content, which expands its capabilities beyond message transport into local system interaction. Even though arguments are passed without a shell, remote peers can still cause local side effects and potentially spam or manipulate host-integrated notifications/events without explicit user approval.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function is documented and named as if it validates a BIP39 seed phrase, but it only checks that the input contains 24 whitespace-separated words. This can cause invalid mnemonics to be accepted by upstream logic, leading to broken wallet import flows, misleading security assumptions, and potential fund loss or denial of access when users believe a recovery phrase is valid.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation shows `--password` directly on the command line during gateway initialization without an immediate warning that process listings, shell history, and terminal logging may expose secrets. Users often copy-paste examples verbatim, so this materially increases the chance of credential leakage.

Missing User Warnings

High
Confidence
99% confidence
Finding
The recovery example places the full 24-word seed phrase on the command line, which is especially dangerous because exposure of the mnemonic can permanently compromise the identity and any associated assets. Command-line arguments may be recorded in shell history, logs, telemetry, and visible to other local users via process inspection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to expose a P2P messaging daemon across machines and share full peer multiaddrs, but it does not warn about the security implications of making a network-reachable endpoint available to untrusted peers. In an agent context, this increases the risk of unauthorized messaging, metadata leakage, unintended wake-triggering, and expansion of the attack surface if users connect bots across home, VPS, or external networks without understanding the trust and firewall requirements.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The watcher example forwards the full received message payload directly into `openclaw system event`, which can expose sensitive or attacker-controlled content to another subsystem, logs, prompts, or automation context. Because incoming P2P messages are untrusted input, this creates a data-leakage and prompt/command-injection propagation risk if downstream consumers treat the event text as trustworthy.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The urgent-message example immediately passes raw message content into an OpenClaw wake event, increasing the chance that sensitive data or attacker-crafted text reaches a high-priority execution path. The `URGENT:` filter reduces volume but not trust risk, since an adversary can label arbitrary content as urgent and trigger immediate processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The recipe explicitly instructs users to launch a long-running background watcher with nohup and redirect logs to /tmp, but it does not clearly warn that this creates a persistent process that continues polling indefinitely and writing output after the initiating session ends. In an agent-skill context, this can surprise users, consume resources, leave stale processes behind, and create unintended persistence/logging side effects that are easy to overlook.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script embeds static passwords for both per-agent identity access and the sender account, exposing credentials in plaintext to anyone who can read the file, shell history, logs, or process arguments. If those credentials are real or copied into production-like use, an attacker could impersonate agents, access identities, or send unauthorized ClawChat messages.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The password is constructed and passed on the command line, which commonly exposes secrets via process listings, shell history, logs, or debugging tools visible to other local users. In addition, the credential is predictable from the agent name and a static suffix, making compromise easier if naming conventions are known.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI prints the newly generated mnemonic directly to stdout, which can be captured by terminal history tools, shell logging, CI logs, wrappers, screen recording, or other monitoring systems. Although showing the seed once is often necessary for wallet backup, exposing it in standard command output without an explicit opt-in or safer display flow increases the chance of accidental secret disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI accepts a sensitive encryption password via `--password`, which can expose the secret through shell history, process listings, audit logs, or CI job output. In this context, the password protects an identity key, so disclosure can enable an attacker with filesystem access to decrypt the stored identity and compromise the account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Remote incoming messages can trigger a local `openclaw` subprocess automatically when `openclawWake` is enabled, with no confirmation or warning at receipt time. This creates a network-to-local-action bridge: an attacker who can send messages to an enabled identity can induce repeated host events, notification abuse, or unintended interactions with whatever trust the local `openclaw` integration has.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The API exposes both the mnemonic and raw private key through the returned wallet object, which substantially increases the chance that calling code logs, serializes, caches, or otherwise leaks highly sensitive key material. In an agent or skill environment, broad object passing and debugging are common, so exposing secrets by default expands the blast radius of any downstream compromise or mishandling.

Session Persistence

Medium
Category
Rogue Agent
Content
### Implementation

1. **Create the cron job:**
```javascript
// Using OpenClaw's cron tool
{
Confidence
79% confidence
Finding
Create the cron job:** ```javascript // Using OpenClaw's cron tool { "name": "clawchat-monitor", "schedule": { "kind": "every", "everyMs": 60000 }, // Every minute "sessionTarget": "isolated",

Session Persistence

Medium
Category
Rogue Agent
Content
2. **Run as service:**
```bash
# Add to launchd, systemd, or supervisor
nohup ~/.openclaw/workspace/clawchat-watcher.sh > /tmp/clawchat-watcher.log 2>&1 &
```

**Pros:**
Confidence
93% confidence
Finding
nohup

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal