ClawHub

Zz Chat

Security checks across malware telemetry and agentic risk

Overview

This skill can build a real phone-to-OpenClaw chat bridge, but it also deploys cloud infrastructure, runs a persistent local bridge, and sends chat data through weakly protected remote services with incomplete disclosure.

Review before installing. This skill should only be used if you are comfortable deploying a public Cloudflare Worker, storing a stable chat ID locally, and running a persistent network bridge that forwards remote messages into your local OpenClaw agent. Avoid the Node bridge as written, do not enable launchd persistence unless you explicitly need it, and make sure you know how to stop the watchdog, remove the LaunchAgent, and delete ~/.zz state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill directs the agent to install wrangler, authenticate to Cloudflare, deploy a Worker under the user's account, and set up a local watchdog or launchd service. For a chat skill, these are powerful infrastructure and persistence operations that materially expand attack surface and can leave long-lived services running on the user's machine and cloud account.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes friend-to-friend messaging and central registration/discovery functions that are not apparent from the short manifest description. These features introduce additional data flows, user enumeration/discovery risk, and communications capabilities beyond a simple direct chat bridge.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The skill silently registers the user with an external service and stores the returned identifier locally, which creates an undisclosed data-sharing path beyond a simple local chat helper. In this context, the bridge continuously connects to a remote worker and relays message content, so automatic registration meaningfully increases privacy and tracking risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata presents this as direct OpenClaw chat, but the implementation also includes user-to-user friend management, peer messaging, signaling, and fallback REST chat flows. This scope mismatch is security-relevant because users and reviewers may grant trust or permissions based on the narrower description, while the code actually enables broader communications behavior and data exchange.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The UI states that messages only exist locally, but the code sends friend requests, chat payloads, WebRTC signaling data, and QR-related data to remote services. This is a materially misleading privacy claim that can cause users to share sensitive content under false assumptions about storage and transmission.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Durable Object exposes a reset endpoint that unconditionally sets the global registration counter to 0, with no authentication or authorization. Any caller who can reach this route can force ID reuse/collision, disrupting account assignment and potentially causing users to receive messages or state intended for other users.

Missing User Warnings

High
Confidence
95% confidence
Finding
The instructions lack clear user warnings that the skill will install tooling, authenticate to Cloudflare, deploy a public-facing Worker, register a global ID, and optionally create a persistent launchd service. Missing disclosure is dangerous because users may unintentionally expose resources, incur costs, or enable ongoing background communications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Untrusted message content is interpolated directly into a shell command passed to execSync. Escaping only double quotes is insufficient because shell metacharacters such as backticks, $(...), and other expansions may still be interpreted, enabling command injection from remote WebSocket-delivered input into the local host running the bridge.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Incoming message content from the WebSocket is forwarded directly into a local AI agent CLI without trust checks, confirmation, or user warning. Even without shell injection, this creates a prompt-injection and capability-exposure path where a remote sender can drive the local agent into unsafe actions depending on what the OpenClaw agent is allowed to do.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code performs external registration and then uses a WebSocket channel to exchange chat data and identifiers without any visible consent, notice, or minimization controls. In a chat bridge, undisclosed transmission of user IDs and message contents to a third-party endpoint increases privacy, surveillance, and data-leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The page sends user-entered text and image data to a remote endpoint via fetch() and also polls that endpoint for replies, but the UI does not clearly disclose that content leaves the device or identify the receiving service. In a chat skill, users may reasonably assume local/on-platform handling, so undisclosed transmission can create privacy and data-handling risk, especially for images and potentially sensitive conversations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code configures a remote API endpoint and public STUN servers for friend requests, chat fallback, and signaling without a clear user-facing warning. Users are not meaningfully informed that identifiers, metadata, and message content may leave the device, which creates privacy and trust risks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
QR generation sends a user-linked bridge URL containing the local identifier to third-party QR services (quickchart.io and api.qrserver.com) without notice. This leaks identifiers and usage metadata to external parties and contradicts the implied local/private nature of the app.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal