ClawHub

Mirage Proxy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local privacy proxy, but it installs a persistent traffic-intercepting binary and has an unpinned build-from-source fallback that users should review carefully.

Install only if you trust the mirage-proxy project and are comfortable routing prompts and provider-authenticated traffic through it. Prefer verified releases, avoid the unpinned source-build fallback unless you have reviewed the repository, monitor or delete the log if it may reveal sensitive redaction metadata, and use the uninstall command plus manual provider-config cleanup when you no longer want traffic routed through the proxy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the user to run shell commands and a setup script that downloads and installs a binary, modifies configuration, and starts services, yet the skill declares no corresponding permissions or warnings. This is dangerous because it obscures the true execution and trust boundary, reducing user ability to assess risk before running system-changing commands.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell the user to execute a bundled shell script that downloads a binary, creates an auto-restart wrapper, starts a proxy, and patches provider configuration, but they do not prominently warn that local system/runtime state will be modified and a background service will be launched. This increases the chance of uninformed execution of privileged or persistent changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script downloads a binary from GitHub, marks it executable, and starts it as a background service, but it does not clearly warn the user up front that it will perform network retrieval and install a persistent process. Although checksum verification is present for release binaries, the fallback path builds directly from a remote Git repository with no pin to a commit or lockfile verification, which still introduces supply-chain risk.

Session Persistence

Medium
Category
Rogue Agent
Content
**Docker entrypoint (recommended):**
```yaml
# docker-compose.yml
command: sh -c "nohup /home/node/.openclaw/workspace/start-mirage.sh > /dev/null 2>&1 & exec openclaw start"
```

**Heartbeat check (fallback):**
Confidence
88% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
chmod +x "${WRAPPER}"

  # Start it
  nohup "${WRAPPER}" > /dev/null 2>&1 &
  sleep 2

  # Verify it's running
Confidence
93% confidence
Finding
nohup

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal