ClawHub

WTT Skill

Security checks across malware telemetry and agentic risk

Overview

This skill matches its WTT messaging purpose, but it can silently install a persistent background service, broaden OpenClaw session permissions, and persist routing/token data.

Install only if you intentionally want a persistent WTT background agent connected to Waxbyte/WTT services and able to use OpenClaw session tools. Before installing, review the installer, consider setting WTT_AUTO_INSTALL_AUTOPOLL=0, verify gateway.tools.allow changes, protect or avoid plaintext .env tokens, and confirm the uninstall script removes the service in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (26)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return

    try:
        subprocess.run(
            ["bash", str(script)],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
97% confidence
Finding
subprocess.run( ["bash", str(script)], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=180, check=False, )

Tainted flow: 'api_url' from os.getenv (line 942, credential/environment) → httpx.post (network output)

Critical
Category
Data Flow
Content
import httpx, uuid as _uuid
                api_url = os.getenv("WTT_API_URL", "https://www.waxbyte.com").rstrip("/")
                try:
                    resp = httpx.post(f"{api_url}/agents/register", json={"platform": "openclaw"}, timeout=15)
                    if resp.status_code == 200:
                        data = resp.json()
                        cur_agent = data.get("agent_id", "")
Confidence
97% confidence
Finding
resp = httpx.post(f"{api_url}/agents/register", json={"platform": "openclaw"}, timeout=15)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill installs and starts a local OS service via shell script as part of initialization, which exceeds the expected scope of a messaging/orchestration skill and creates persistence on the host. In this context, the behavior is more dangerous because users importing a chat/orchestration skill would not reasonably expect automatic modification of launch agents or systemd user services.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code performs service installation automatically on module import despite documentation framing it as something that happens after installation, creating misleading behavior and violating least surprise. This discrepancy is security-relevant because hidden side effects reduce a user's ability to make informed trust decisions and can cause unreviewed persistence to be deployed simply by importing the package.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The config flow reads local session metadata from the user's home directory and writes persistent changes into a local .env file. That exceeds simple command routing and creates side effects on local state and configuration, which is risky for a chat-triggered skill because a user may not expect filesystem discovery and persistence from a messaging command.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The auto-config command performs direct external HTTP registration rather than only delegating through the documented MCP tool boundary. That widens the trust boundary of the skill and allows a chat command to trigger external account/agent registration behavior, which can expose identifiers and create remote-side state unexpectedly.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code comments imply duplicate-notification suppression, but _should_notify always returns True, so every inbound message is forwarded. In this skill, that means untrusted remote content can be repeatedly pushed into IM channels, increasing spam, social-engineering exposure, and accidental disclosure of sensitive conversation content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
When run as root on Linux, the installer performs apt-get update/install for python3-venv packages. That is a material system-wide modification outside a narrow per-user autopoll setup and increases attack surface and operational risk, especially because it silently changes host state during install.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer edits the OpenClaw configuration to add gateway.tools.allow entries for session-management capabilities and may restart the gateway automatically. Expanding tool permissions changes the security boundary of the host application and can enable broader command/session control than expected for an autopoll installer.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The service bypasses the normal session API and reads OpenClaw transcript files directly from disk to recover full assistant output. Those transcripts can contain prior prompts, model responses, tool outputs, and potentially secrets from unrelated work, so this creates a local data-exposure channel and breaks normal access boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents a zero-touch `@wtt config auto` flow that writes detected routing data back into the skill's `.env` file, but it does not clearly warn users that a runtime command will persistently modify local configuration. In this skill's context, `.env` controls messaging endpoints and identifiers, so unexpected writes can silently alter where messages are routed and create lasting configuration drift or misdelivery risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start directs users to run an installer that edits .env, patches gateway permissions, and starts a background service, but it does not clearly warn that it will make persistent system changes. This can lead to uninformed execution of privileged actions, making it easier for users to install a long-running component and broaden tool access without understanding the security consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The auto-configuration flow persists IM routing identifiers and agent IDs into .env without a clear privacy, retention, or access warning. Those values may expose chat destinations, internal identifiers, and service linkage information to other local users, backups, or logs if file permissions are weak or the file is later exfiltrated.

Missing User Warnings

High
Confidence
99% confidence
Finding
Importing the module automatically runs a shell script to install or start a background service without warning or confirmation, which is a classic unsafe package behavior. In a skill ecosystem, import-time execution is especially dangerous because simply loading the skill can change host state, establish persistence, and expand the blast radius far beyond normal message handling.

Missing User Warnings

High
Confidence
98% confidence
Finding
The constructor repeats the same unsafe pattern by attempting automatic service installation/startup when an instance is created, again without user-facing disclosure. This is dangerous because ordinary application code that instantiates the skill for messaging features can inadvertently trigger host persistence and script execution, which is broader than the advertised capability.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The helper updates and persists environment variables into a .env file automatically, including identifiers and potentially credentials, without an interactive warning before the write occurs. Silent persistence of security-relevant configuration is dangerous because it creates lasting side effects and may expose secrets to other local users, backups, or later processes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Auto-config makes a network request to register an agent and then stores the returned agent token locally, all without prior user disclosure in the command flow. This is sensitive because it both transmits data externally and persists a credential, creating account-binding and secret-management risks from a simple chat command.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt explicitly advertises a command that will auto-detect an IM route and write to `.env`, but it provides no warning, confirmation requirement, or safety constraints around modifying local configuration. In an agent skill, silent config-file mutation can change runtime behavior, redirect integrations, or persist attacker-influenced settings beyond the current session, making this more dangerous than a normal informational command.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Incoming WebSocket messages are reformatted and pushed to IM without any consent, warning, or trust boundary disclosure. Because message content is attacker-controlled remote input, this creates a direct exfiltration and social-engineering path into a separate communication channel that users may perceive as trusted system output.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The polling fallback mirrors the same behavior as the WebSocket path by forwarding polled message bodies to IM with no disclosure or approval step. This preserves the same cross-channel data leak and phishing risk even when WebSocket is unavailable, so the unsafe behavior is systemic rather than incidental.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies a persistent OpenClaw config file and may restart the gateway without an upfront warning or interactive confirmation. Even if functionally intended, silent changes to orchestration permissions and service state violate least surprise and can disrupt running workflows.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer writes persistent launchd/systemd autostart units and may also use nohup to start a background process, all without a clear upfront warning. Persistence and automatic background execution are sensitive behaviors because they survive the current session and can be abused or simply surprise the user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code silently migrates a legacy .env into the skill directory, duplicating secrets and configuration without explicit consent or warning. This increases secret sprawl and may place credentials in a less protected path, making accidental disclosure or backup leakage more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
On startup, the skill automatically registers with a remote API and sends platform metadata without explicit disclosure or opt-in. In an agent skill context, unexpected outbound registration is sensitive because it creates an external dependency and reveals deployment metadata to a third party.

Missing User Warnings

High
Confidence
95% confidence
Finding
A remotely returned agent token is persisted into a local .env file automatically and without user confirmation. Storing authentication material in plaintext configuration expands the attack surface: other local users, backups, or adjacent tools may read and misuse the token.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal