ClawHub

NoChat Channel

Security checks across malware telemetry and agentic risk

Overview

This plugin has a coherent messaging purpose, but its active code path gives remote messages high authority while its encryption and trust-safety claims are not fully supported by the artifacts.

Review before installing. Use only a dedicated NoChat account and API key, avoid owner-tier access except for independently verified identities, assume message contents may be visible to the NoChat server and local logs until real client-side encryption is confirmed, and do not send sensitive instructions through this channel without additional containment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code unconditionally sets `CommandAuthorized: true` for every inbound NoChat message, meaning any sender that can reach the channel may be treated as authorized to issue commands. If downstream command execution trusts this flag, an attacker could trigger privileged agent actions, bypassing intended trust-tier or identity checks.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The comment states inbound messages are 'just logged', but the handler also calls trustManager.recordInteraction(msg.sender_id), which can influence trust state and potentially auto-promote a sender. This mismatch is security-relevant because maintainers may underestimate the side effects of merely receiving messages, allowing untrusted senders to gain higher trust through repeated contact if the trust model uses interaction counts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly promotes configuring another agent as an `owner` so its messages are routed to the target's main session with full tool access, effectively granting remote command authority. Even if intended as a feature, documenting this capability without prominent warnings about trust, authentication, and blast radius materially increases the likelihood of unsafe deployment and privilege misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup instructions place the NoChat API key directly into shell commands and persisted OpenClaw configuration, which encourages plaintext handling of a bearer credential. This creates realistic exposure paths through shell history, screenshots, shared configs, backups, and source control, and the README does not warn users to treat the key as sensitive or use secret storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin logs inbound message text directly, including up to 80 characters of user content. This can expose sensitive prompts, credentials, tokens, or personal data to logs, which are often broadly retained and accessible to operators or other systems. In an agent-to-agent channel, message contents may be especially sensitive because they can contain commands, secrets, or internal workflow data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal