ClawHub

Subagent Dashboard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real dashboard, but it exposes powerful unauthenticated web controls that can read sensitive agent data and modify local files, git state, and OpenClaw session records.

Install only if you intend to run a privileged local admin server. Keep it bound to a trusted machine, do not expose the port through containers, tunnels, or shared networks, and assume anyone who can reach it may view agent transcripts, alter workspace files, change git state, and modify OpenClaw session records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
workspace_path = OPENCLAW_HOME / "workspace"
    
    try:
        subprocess.run(
            ["git", "add"] + paths,
            cwd=str(workspace_path),
            timeout=5
Confidence
95% confidence
Finding
subprocess.run( ["git", "add"] + paths, cwd=str(workspace_path), timeout=5 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
workspace_path = OPENCLAW_HOME / "workspace"
    
    try:
        subprocess.run(
            ["git", "reset", "HEAD"] + paths,
            cwd=str(workspace_path),
            timeout=5
Confidence
95% confidence
Finding
subprocess.run( ["git", "reset", "HEAD"] + paths, cwd=str(workspace_path), timeout=5 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ["git", "push"]
        if branch:
            cmd.extend(["origin", branch])
        subprocess.run(cmd, cwd=str(workspace_path), timeout=30)
        return jsonify({"success": True})
    except Exception as e:
        return jsonify({"error": str(e)}), 500
Confidence
88% confidence
Finding
subprocess.run(cmd, cwd=str(workspace_path), timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return jsonify({"error": "branch is required"}), 400
    
    try:
        subprocess.run(
            ["git", "checkout", branch],
            cwd=str(workspace_path),
            timeout=5
Confidence
92% confidence
Finding
subprocess.run( ["git", "checkout", branch], cwd=str(workspace_path), timeout=5 )

Tainted flow: 'workspace_path' from os.environ.get (line 2981, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
workspace_path = OPENCLAW_HOME / "workspace"
    
    try:
        subprocess.run(
            ["git", "add"] + paths,
            cwd=str(workspace_path),
            timeout=5
Confidence
83% confidence
Finding
subprocess.run( ["git", "add"] + paths, cwd=str(workspace_path), timeout=5 )

Tainted flow: 'workspace_path' from os.environ.get (line 2981, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
workspace_path = OPENCLAW_HOME / "workspace"
    
    try:
        subprocess.run(
            ["git", "reset", "HEAD"] + paths,
            cwd=str(workspace_path),
            timeout=5
Confidence
83% confidence
Finding
subprocess.run( ["git", "reset", "HEAD"] + paths, cwd=str(workspace_path), timeout=5 )

Tainted flow: 'cmd' from os.environ.get (line 1858, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
cmd = ["git", "push"]
        if branch:
            cmd.extend(["origin", branch])
        subprocess.run(cmd, cwd=str(workspace_path), timeout=30)
        return jsonify({"success": True})
    except Exception as e:
        return jsonify({"error": str(e)}), 500
Confidence
84% confidence
Finding
subprocess.run(cmd, cwd=str(workspace_path), timeout=30)

Tainted flow: 'workspace_path' from os.environ.get (line 2981, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
return jsonify({"error": "branch is required"}), 400
    
    try:
        subprocess.run(
            ["git", "checkout", branch],
            cwd=str(workspace_path),
            timeout=5
Confidence
86% confidence
Finding
subprocess.run( ["git", "checkout", branch], cwd=str(workspace_path), timeout=5 )

Tainted flow: 'req' from os.environ.get (line 1881, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
url = f"{GATEWAY_URL.rstrip('/')}/api/agents"
    try:
        req = urllib.request.Request(url, method="GET")
        with urllib.request.urlopen(req, timeout=timeout_sec) as resp:
            data = json.loads(resp.read().decode())
    except (urllib.error.URLError, urllib.error.HTTPError, OSError, json.JSONDecodeError, ValueError) as e:
        print(f"Overstory agents fetch failed: {e}", file=sys.stderr)
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout_sec) as resp:

Tainted flow: 'file_path' from os.environ.get (line 2948, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
file_path = OPENCLAW_HOME / "workspace" / path.lstrip('/')
    try:
        file_path.parent.mkdir(parents=True, exist_ok=True)
        with open(file_path, 'w', encoding='utf-8') as f:
            f.write(content)
        return jsonify({"success": True})
    except Exception as e:
Confidence
98% confidence
Finding
with open(file_path, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises only a monitoring dashboard, but the documented installation and usage imply shell execution, local web serving, environment-variable use, and access to sensitive session/transcript files without any declared permission model. That gap can cause operators to grant or overlook powerful capabilities they did not explicitly review, increasing the risk of unintended file, network, or process exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
A description-behavior mismatch is a serious security issue here because the skill is presented as a read-only subagent dashboard, while the analyzed behavior includes broad workspace browsing, file modification, git operations, gateway access, external service querying, and session control endpoints. Users may invoke or install it expecting passive monitoring, but it appears to expose capabilities that can alter code, exfiltrate data, or control agents beyond the stated scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Although the skill is described as a subagent monitoring dashboard, it exposes generic file tree, read, write, delete, and rename APIs over the workspace. This is dangerous because it turns a read-oriented operational dashboard into a general-purpose remote file manager, greatly expanding the attack surface and enabling unauthorized modification or destruction of project files.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The dashboard also exposes broad git mutation capabilities including staging, unstaging, commit, push, pull, and checkout, which are unrelated to the stated monitoring purpose. In a dashboard reachable from a browser, these endpoints can change repository state and potentially sync changes to remotes, making compromise or misuse materially more damaging.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Embedding generic file editing APIs in a subagent dashboard is context-inappropriate and materially increases risk because users and deployers may treat the service as low-risk observability tooling. That mismatch makes dangerous capabilities easier to expose without proper hardening, enabling arbitrary workspace tampering if the dashboard is accessed cross-origin or by an unauthorized party.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Repository mutation and remote sync operations are especially risky in a monitoring dashboard because they permit persistent and potentially remote-impacting changes from a browser-facing API. This violates least privilege and can enable unauthorized code changes, branch switching, destructive pulls, or exfiltration through push if the service is abused.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The implementation presents certain actions as placeholders requiring gateway access, but nearby logic actually performs local destructive cleanup and rewrites session/run state files to force cancellation. This discrepancy is dangerous because operators may underestimate the side effects and expose the feature without appropriate safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documentation tells users to start a local web server but does not warn that the dashboard exposes sensitive agent transcripts, session metadata, and task data over HTTP. Even if bound to localhost, this increases the attack surface for local adversaries, malicious browser extensions, cross-origin abuse, port forwarding mistakes, or accidental exposure through container/remote-dev environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file write/delete/rename endpoints perform destructive actions without any visible evidence of server-side user confirmation, authorization, or clear disclosure. While lack of warning alone is not the core bug, in this browser-facing service it compounds the risk of accidental or cross-site-triggered destructive actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The git-changing endpoints mutate repository state and can interact with remotes without any evident server-side warning, authz, or transaction safety checks. In a dashboard context, this increases the chance of silent destructive changes or misuse through browser-driven requests.

Known Vulnerable Dependency: Flask==3.0.0 — 1 advisory(ies): CVE-2026-27205 (Flask session does not add `Vary: Cookie` header when accessed in some ways)

Low
Category
Supply Chain
Confidence
86% confidence
Finding
Flask==3.0.0

Known Vulnerable Dependency: flask-cors==4.0.0 — 8 advisory(ies): CVE-2024-6866 (Flask-CORS vulnerable to Improper Handling of Case Sensitivity); CVE-2024-6839 (Flask-CORS improper regex path matching vulnerability); CVE-2024-1681 (flask-cors vulnerable to log injection when the log level is set to debug) +5 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
flask-cors==4.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal