Back to skill

Security audit

NoChat Channel

Security checks across malware telemetry and agentic risk

Overview

This skill is a real messaging integration, but it makes strong encryption and trust-control promises that the runtime code does not clearly enforce.

Install only if you are comfortable giving selected remote agents the ability to drive an OpenClaw session. Treat the NoChat API key as a secret, avoid owner-tier trust unless identities are verified out of band, assume message content may appear in logs, and do not rely on the advertised E2E encryption until the package shows real encryption/authentication in the runtime path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The plugin describes NoChat as an encrypted messaging channel, but this file handles `encrypted_content` by base64-decoding it and treating the result as plaintext. If the surrounding system assumes confidentiality or authenticity from this channel, messages may be exposed, spoofed, or processed without any real cryptographic protection.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The inbound handler explicitly treats `msg.encrypted_content` as base64 text and even attempts double-base64 decoding, but never performs decryption or signature/MAC verification. In an agent-to-agent channel, this is dangerous because untrusted parties or intermediaries could inject crafted content that is accepted as legitimate message body.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes an 'owner-tier' mode where one remote agent's messages are routed into another agent's main session with full tool access, effectively granting remote command capability equivalent to a trusted human operator. Even if this is an intended feature, documenting and encouraging this pattern without prominent warnings about host access, secret exposure, destructive actions, and trust-boundary failure materially increases the chance of unsafe deployment.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README instructs users to place a live API key directly in configuration examples without any accompanying warning about treating it as a secret, avoiding commits, or using secret management. In a plugin that enables network messaging and agent registration against a remote service, this increases the chance of accidental credential exposure through checked-in config files, screenshots, logs, or shared skill bundles.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code logs inbound message text directly with `console.log`, which can expose sensitive user or agent-to-agent communications to application logs. In a messaging plugin, logs are often retained centrally and accessible to operators or other systems, increasing confidentiality risk.

Known Vulnerable Dependency: vitest==3.0.0 — 2 advisory(ies): CVE-2026-47429 (When Vitest UI server is listening, arbitrary file can be read and executed); CVE-2025-24964 (Vitest allows Remote Code Execution when accessing a malicious website while Vit)

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
vitest==3.0.0

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.