ClawHub

OpenClaw Agent Mesh

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real agent-mesh communication skill, but it exposes a network service and stores inbound network data with weak safety guidance.

Review before installing. Use only on networks and peers you control or explicitly trust, avoid exposing the server beyond localhost unless necessary, protect the private key with restrictive permissions, prefer HTTPS endpoints, and periodically delete or audit stored inbound messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to store a private signing key on disk at a predictable location but does not warn that this is sensitive secret material. On multi-user systems, backups, weak filesystem permissions, or endpoint compromise could expose the private key and allow impersonation of the agent to trusted peers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The LAN discovery workflow directs HTTP probing of candidate URLs without warning about privacy, logging, and network visibility implications. Probing nearby hosts can reveal the user's presence, trigger IDS/monitoring alerts, contact unintended systems, or violate local network policy if run on corporate or managed networks.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill recommends starting an HTTP server on 0.0.0.0 to accept discovery, contact requests, and messages, but omits a warning that this exposes a listening service to the network. Even with signature checks, an internet- or LAN-reachable service can be abused for reconnaissance, malformed request attacks, denial of service, or exploitation of implementation bugs in the server and request handlers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Contact requests are sent with urllib to arbitrary endpoints and may use plain HTTP, exposing agent identity metadata, endpoint information, and the public key to passive network observers and intermediaries. While the public key is not secret, the combination of peer identity and endpoint data supports discovery, profiling, and tampering attempts in the LAN/mesh context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Direct messages send user-provided text and agent identifiers to a peer endpoint over whatever scheme is configured, with no transport-security requirement or encryption beyond message signing. In this agent-to-agent communication skill, that means sensitive conversation content can be intercepted or modified in transit on untrusted networks, which is more serious given the feature is explicitly for peer messaging.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The server persists attacker-controlled request bodies to disk in predictable files under the state directory without any authentication, consent, retention limits, or disclosure. In the context of an agent-mesh service exposed on 0.0.0.0, this increases privacy and forensic risk because arbitrary remote peers can cause potentially sensitive contact and message contents to be stored locally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This HTTP server accepts unauthenticated network input and forwards it directly into mesh.py processing, effectively exposing internal message-handling logic to any network peer that can reach the port. Given the skill's purpose is agent-to-agent communication and the server listens on 0.0.0.0 by default, the context makes this more dangerous because it creates a remotely reachable attack surface for malformed input, resource exhaustion, or abuse of downstream logic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal