ClawHub

WTT Plugin

Security checks across malware telemetry and agentic risk

Overview

The package is a functional WTT/OpenClaw channel plugin, but it grants broad remote command and task authority and handles secrets in ways users are not clearly warned about.

Install only if you trust the publisher and the WTT cloud service with your OpenClaw agent token, task metadata, message contents, media URLs, and any configured E2E material. Review and restrict commands.allowFrom.wtt before use, avoid enabling broad task execution on sensitive agents, consider disabling media backfill/downloads where possible, and do not rely on the E2E helper for strong confidentiality while the key-export path exists. Use a scoped/rotatable WTT token and rotate it if the config or runtime-data files may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises operational steps that install, enable, restart, and bootstrap a networked plugin using agent credentials, yet no explicit permissions are declared for shell, network, or environment access. This creates a trust and review gap: users may approve a seemingly simple distribution entry without understanding that it can drive privileged actions and handle sensitive tokens.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose frames the skill as a simple distribution/bootstrap guide, but the referenced behavior is far broader and includes persistent remote connectivity, command execution surfaces, configuration mutation, plugin lifecycle control, background loops, media download, and possible exposure of derived E2E keys. This mismatch is dangerous because it can mislead reviewers and operators into granting access to a component that effectively acts as a powerful remote-control integration with sensitive data and system-management capabilities.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script fetches arbitrary HTTP(S) URLs extracted from message text and stores the responses locally, which creates an SSRF-style outbound fetch surface and allows untrusted content to trigger network access. Even with size and timeout limits, this can be abused to contact attacker-controlled hosts, internal services reachable from the machine, or download risky files into local storage.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file’s documented scope presents the plugin as a WTT channel integration, but the implementation also performs task execution, task recovery, and task-state orchestration. That mismatch is security-relevant because operators may grant or deploy the plugin under a narrower trust assumption than its actual authority, increasing the chance of unintended remote actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The module persists discussion history under topic-memory files and downloads inbound media to local storage, but that data retention is not disclosed by the stated plugin purpose. Undisclosed storage of conversation content and files can expose sensitive user data to local compromise, backups, or later unintended reuse.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code includes autonomous task execution, rechecks, and recovery sweeps that can trigger remote workflow actions without a direct user action at the time of execution. In the context of a plugin described as install/bootstrap for a channel, this is dangerous because it materially expands operational authority and can cause unexpected remote side effects or repeated execution if misconfigured.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code patches remote task status over HTTP, allowing the plugin to mutate external workflow state rather than merely relay messages. Given the plugin’s narrow stated purpose, this is a meaningful privilege expansion that could alter task lifecycles, hide failures, or trigger downstream automation unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup routine modifies `commands.allowFrom.wtt` to include `*`, which grants the WTT channel permission to invoke all commands rather than only the minimum needed for bootstrap. In a plugin whose purpose is to install and enable a remote channel, this unnecessarily expands the trusted command surface and could let messages or integrations arriving through WTT trigger powerful local agent actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file exposes full task lifecycle capabilities (list, detail, create, run, review) even though the skill manifest describes the plugin as only installing/enabling WTT and bootstrapping configuration. This mismatch is dangerous because users and reviewers may grant trust or permissions based on a narrow bootstrap description while the code can perform operational actions against the remote WTT service.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
`task run` does much more than setup: it enqueues execution, invokes inference hooks, interacts with persistence-aware runtime components, and can publish heartbeat updates. In a plugin advertised as a bootstrap/install entry, concealed execution orchestration materially expands the attack surface and could be used to trigger remote actions or costly processing without informed approval.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code publishes task heartbeat messages to a client stream, which is outside the stated bootstrap/install purpose and creates an unadvertised outbound communication channel. Even if intended for progress reporting, stream publication can leak task metadata, execution details, or prompt/output-derived content to subscribers who did not expect this skill to emit runtime data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code spawns a detached shell (`sh -lc`) that restarts the entire OpenClaw gateway after a delay, which can disrupt service and affects the whole host process, not just this plugin. Because it is detached and unconditional on successful user acknowledgment, it creates an availability and operational safety risk, especially in multi-tenant or production deployments.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The client responds to an inbound `e2e_key_request` by sending `key_b64: toBase64(this.e2eKey)` over the WebSocket, which defeats the purpose of end-to-end encryption by disclosing the symmetric key to the remote peer/service. In the stated context of a plugin meant to install/bootstrap WTT channels, exposing a runtime key-export mechanism is especially unjustified and materially increases the risk of message decryption, impersonation, and long-term compromise of encrypted traffic.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool downloads remote media and persists it locally by default, but gives little user-facing notice unless verbose or dry-run mode is used. In the context of a plugin whose stated purpose is bootstrap/installation, silent default ingestion of remote content increases the risk of unintended network access, storage of attacker-controlled files, and privacy exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This command persists the agent token into the main config file and simultaneously enables broad WTT command access, but it does so without any warning, confirmation, or protection mechanism. Storing long-lived credentials in a general config file increases exposure if the file is read by other local users, tooling, backups, or logs, and the added permissions amplify the blast radius if the token or channel is abused.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
On successful install/update paths, the code immediately rewrites the configuration file via `cleanupLegacyWttLoadPath()` and schedules a gateway restart without prior user-facing warning or consent. Silent mutation of persistent config plus automatic restart can cause unexpected outages or config loss if assumptions about the environment are wrong.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code trusts environment-controlled values such as `OPENCLAW_CONFIG_PATH` and `OPENCLAW_BIN`, and forwards the full `process.env` into subprocesses. In a hostile or compromised runtime, this can redirect config reads/writes to arbitrary files, influence which binary is executed, or leak sensitive environment data into child processes and shell commands.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The executor persists queued and running task intents to disk, and those intents include apiContext plus identifiers such as accountId, triggerAgentId, runnerAgentId, and tokens. Writing authentication material and operational metadata to disk increases exposure through local file compromise, backups, logs, or multi-user host access, especially because this shared executor enables persistence by default.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code sends the client's E2E encryption key over the WebSocket in response to a server message, with no user confirmation, no secondary authentication, and no cryptographic wrapping of the key material. Any party able to trigger or control that request path can obtain the secret key and decrypt protected messages, nullifying confidentiality guarantees and potentially enabling forged encrypted traffic.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file hardcodes a reusable password for remote account registration/login against a public service. If these accounts persist or usernames are predictable, anyone aware of the test convention could access the created accounts, interfere with tests, read messages, or abuse the service under those identities.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The test logs raw pushed message objects and message content snippets, including encrypted-message metadata and potentially sensitive plaintext after decryption. Console logs often end up in CI artifacts, shared terminals, or centralized log systems, which can expose confidential communications and tokens-adjacent context to unintended parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal