ClawHub
Back to skill

Security audit

Openclaw Aligenie Push

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its push server and credential flow are under-protected enough that users should review it carefully before installing.

Install only if you can operate the push server behind authentication, HTTPS, and restricted ingress. Do not expose /push publicly without access control, do not store AppSecret or device openId in shared markdown or version-controlled files, and avoid sending sensitive reminders, secrets, personal data, or private task results to a voice device.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'text' from requests.get (line 145, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
device_type: "speaker"=无屏音箱, "screen"=带屏设备
    """
    try:
        resp = requests.post(
            PUSH_API_URL,
            headers={
                "Authorization": f"Bearer {access_token}",
Confidence
92% confidence
Finding
resp = requests.post( PUSH_API_URL, headers={ "Authorization": f"Bearer {access_token}", "Content-Type": "application/json",

Tainted flow: '_push_server' from os.environ.get (line 86, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
loop = asyncio.get_event_loop()
        response = await loop.run_in_executor(
            None,
            lambda: requests.post(
                _push_server,
                json=payload,
                headers={"Content-Type": "application/json"},
Confidence
90% confidence
Finding
lambda: requests.post( _push_server, json=payload, headers={"Content-Type": "application/json"}, timeout=15, )

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The /push endpoint accepts raw appId and appSecret values from callers and then uses them to obtain an OAuth token and perform an external API action. This makes the server a generic credential-using proxy, increasing the risk of credential misuse, abuse by unauthorized callers, and accidental handling of third-party secrets.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The Flask app exposes an unauthenticated /push service and by default binds to 0.0.0.0, making it reachable on all interfaces. In this skill context, that is more dangerous because the service can be abused remotely to send arbitrary voice pushes, consume API quotas, or generate misleading notifications to users' devices.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill reads credentials and device identifiers from a local workspace file (~/.openclaw/workspace/TOOLS.md), expanding its access beyond the immediate task and creating a secondary secret source that may contain unrelated data. This is risky because markdown files are not a secure secret store, may be broadly readable, and make accidental credential exposure or misuse more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment guide instructs operators to expose TCP port 58472 to 0.0.0.0/0, making the push service reachable from the entire internet, but it does not warn about the attack surface or require authentication, IP allowlisting, TLS, or reverse-proxy protections. In the stated architecture, this service appears to accept HTTPS/HTTP push requests that can trigger downstream actions, so public exposure materially increases the risk of unauthorized access, probing, abuse, or service disruption.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description includes broad activation conditions such as pushing whenever the system 'needs' to notify the user, rather than limiting invocation to narrow, explicit user phrases. That can cause overbroad triggering and unintended message delivery to a household device, especially in shared environments where broadcasts may disclose task status or private content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill is specifically designed to proactively broadcast messages to a voice device, yet the documentation provides no warning about privacy, shared-space exposure, or accidental disclosure of sensitive information. In context, that omission is meaningful because task results, reminders, or status messages may be spoken aloud to unintended listeners.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The mock server logs raw request fields including OpenId and text content, which can expose identifiers and potentially sensitive user message contents to anyone with log access. Even though this is a local test server and not a production push service, developers commonly reuse test tooling or collect logs centrally, so this creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Allowing sensitive app credentials to be supplied in the request body encourages clients to send secrets over an operational API and causes the server to relay them to an external OAuth endpoint. Even if TLS is used, this expands secret exposure into request logs, client code, debugging traces, and intermediary systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.