ClawHub

OpenClaw Docker Setup

Security checks across malware telemetry and agentic risk

Overview

This setup guide is coherent overall, but it asks users to expose and persist live credentials in ways that need careful review before installation.

Review before installing. Use dedicated bot Google and Discord accounts, avoid personal Gmail or Drive unless you accept that access, do not share terminal output from these setup steps, rotate any token or password that appears on screen or in logs, bind exposed ports as tightly as possible, and prefer pinned/checksummed downloads and unique secrets instead of the documented static values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the user to dump `/home/node/.openclaw/openclaw.json` and manually copy `gateway.auth.token`. That reveals a live authentication secret in cleartext on screen and risks leakage through terminal scrollback, screen sharing, recordings, copy/paste history, or notes; anyone with the token can access the local dashboard if they can reach the forwarded port.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file materially expands the skill from Dockerized OpenClaw setup into Gmail integration with message access, sending, and attachment download. That adds a new data-access capability involving external communications and sensitive content, which increases attack surface and can enable exfiltration or unintended processing of private email data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instructions store persistent Gmail credentials inside the container and install a mail client capable of reading, sending, and downloading attachments. If the container, workspace, logs, or agent instructions are exposed, those credentials can be abused for mailbox access and outbound email actions, making this a substantive security issue rather than mere feature creep.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section exposes a sensitive gateway authentication token without any warning or containment guidance. Even though the service is bound to localhost, the same document also discusses SSH port forwarding, which increases the chance that a leaked token could be used by another local or forwarded session to authenticate to the dashboard.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs users to print the full Himalaya config file after embedding the Gmail app password in `auth.raw`, which risks credential disclosure on screen, in shell history, terminal logs, shared sessions, or copied troubleshooting output. Exposing live mail credentials is especially dangerous because it grants direct mailbox access and possible email sending capability.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Updating `TOOLS.md` to advertise the Gmail account, binary, config path, and attachment-download capability makes sensitive operational details more discoverable to the agent and anyone with workspace access. Even without the password embedded there, this lowers the barrier to misuse by documenting exactly how to access and operate the mailbox integration.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly tell the user to bypass CLI redaction and read the raw config file to recover `gateway.auth.token`. That exposes a live authentication secret in plaintext, increasing the chance of accidental disclosure through terminal history, logs, screenshots, or copy/paste into chat. In the context of a Dockerized service setup skill, this is especially risky because operators may follow the steps verbatim during troubleshooting without realizing they are handling sensitive credentials.

Ssd 3

High
Confidence
99% confidence
Finding
This is a direct instruction to defeat secret redaction by reading the underlying configuration file and extracting the authentication token. Redaction exists to prevent casual exposure of credentials; documenting a bypass normalizes unsafe secret handling and can enable unauthorized access if the token is shared or captured. Because this skill guides users through deploying and administering a live service, the revealed token may grant control over that instance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal