ClawHub

Antenna

Security checks across malware telemetry and agentic risk

Overview

Antenna appears to be a real cross-host OpenClaw messaging skill, but installing it grants broad gateway, session, sandbox, and credential authority that users should review carefully.

Install only if you are comfortable giving this skill administrative control over parts of your OpenClaw gateway. Before setup, review the gateway diff, keep peer and session allowlists narrow, enable inbox review for new peers, protect and rotate hooks tokens and identity secrets, avoid ClawReef unless you accept third-party credential storage, and do not use dry-run or test-report features with sensitive content unless you are prepared for secrets or prompts to appear in local logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented ability to send bootstrap bundles by email extends the data flow beyond the stated webhook-based messaging and peer-management scope. That creates an additional exfiltration and misdelivery channel for sensitive trust material, especially if operators assume all exchange remains within the HTTPS relay model.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims cross-host communication should avoid visible chat channels, yet also integrates with the external ClawReef registry/invite service and states that registry stores webhook credentials and identity secrets. This broadens the trust boundary to a third party and introduces external dependency and credential-exposure risk not obvious from the primary description.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Sending bootstrap material by email is not a necessary part of a webhook relay skill and introduces a second transport with different threat assumptions, retention, and interception risks. Even if encrypted bundles are used, this behavior increases the chance of accidental disclosure, phishing-style misuse, or operator confusion about where trust material may travel.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
This code rewrites the host's OpenClaw gateway configuration and restarts the gateway, which is host-administration behavior beyond the skill's stated messaging role. In a privileged agent context, this can disrupt service, alter routing/model behavior, and create an unexpected control plane for modifying broader system configuration.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Setting `relay_agent_model` through the generic config interface triggers a write to the gateway config and a gateway restart as a side effect. Hidden side effects on a seemingly local configuration command are dangerous because operators may not expect a service restart or host-wide config modification from this path.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guide makes a contradictory claim about whether ClawReef stores webhook credentials, then states that it stores `hooksToken` and `identitySecret` for push delivery. Centralizing these secrets in a registry materially expands the trust boundary and creates a high-value compromise target that could enable spoofed inter-host messages or unauthorized delivery if the registry or its operators are breached.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The setup script edits the global OpenClaw gateway configuration, enables hooks, widens session visibility to all agents, enables agent-to-agent communication, and modifies approval allowlists. Those are security-sensitive host-wide changes that exceed merely creating local Antenna state, and in non-interactive mode they occur automatically when a gateway config is found. In the context of a cross-host messaging skill, these changes materially expand the attack surface and trust boundary of the entire gateway.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script modifies PATH behavior by creating a global or per-user symlink and may append export lines to shell profile files. That is persistence outside the skill's own directory and is not strictly necessary for a messaging setup workflow. While likely intended for convenience, it creates side effects that outlive the setup session and can surprise users or be abused if the referenced path is later replaced.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This test explicitly validates that setup logic forces the antenna agent's sandbox mode to "off", which weakens a core isolation control for a skill whose stated purpose is inter-host messaging and peer management. Even though this is only a regression test, it confirms the underlying setup behavior exists and is expected, increasing the blast radius of any compromise in cross-host message handling or related hooks.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The test covers preservation and seeding of tool execution and deny policies, showing that the skill setup modifies runtime permission controls beyond simple messaging configuration. In the context of a cross-host communication skill, silently managing tool policy can enable capability drift, making it easier for remote message paths or peer interactions to operate with broader local powers than operators expect.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README strongly promotes autonomous agent-to-agent communication across hosts 'without a human sitting in the loop' and 'No approval step' while not foregrounding the privacy and data-sharing risks of cross-host transmission. In this context, agents may send sensitive prompts, operational details, or business data to external hosts or email systems without meaningful user awareness, increasing the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs writing the entire raw inbound message verbatim to a file under /tmp, which can persist sensitive payloads on disk and expose them to other local processes, backups, or forensic recovery depending on host configuration. In this context, the messages are cross-host relay envelopes and may contain credentials, trust material, or private agent communications, so storing them unredacted increases confidentiality risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to execute a wrapper script that performs verification and delivery, resulting in subprocess execution and likely outbound transmission to another host, but provides no user-facing disclosure or consent boundary for those actions. Because this skill is specifically designed for inter-host communication, invoking it can move data off-host and trigger privileged gateway behavior, making silent execution more dangerous than in a purely local utility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly requires saving the entire raw inbound message to a temp file on disk, which creates confidentiality and data-retention risk if the message contains secrets, credentials, personal data, or untrusted payloads. Even though the file path uses a unique name and avoids direct overwrite hazards, the skill provides no user-facing disclosure, minimization, retention policy, or safeguards around temp-file permissions and cleanup at the agent layer.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented flow passes a file containing attacker-controlled message content into a shell-invoked wrapper, which increases risk if downstream scripts ever mishandle quoting, parse file contents unsafely, or perform shell-sensitive operations on the data. Although this file tries to constrain the top-level command shape and forbids obvious shell metacharacter abuse in the exec invocation, it still establishes a delivery path where untrusted content is processed through shell-based components without any warning or stated validation boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The execution path rewrites gateway configuration and may restart the gateway without any prior warning at the point of use. Even when user-invoked, silent service-impacting side effects can cause downtime or unexpected behavior and are unsafe in multi-tenant or production environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users that the registry stores `hooksToken` and `identitySecret` without a prominent warning that these are sensitive credentials whose exposure could let a third party impersonate a peer or inject messages. In a cross-host agent messaging system, under-warning users about secret escrow can lead to unsafe deployment decisions and misplaced trust in the registry.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The doctor command performs unsolicited outbound network requests to every configured peer URL via curl as part of its connectivity check. In a security-sensitive environment, this can leak metadata, trigger side effects on remote endpoints, or contact attacker-controlled URLs if the peer registry has been poisoned, and the script does not present a clear user-facing warning or require opt-in for network access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script offers to email an encrypted bootstrap bundle without a strong user-facing warning at the decision point that the attachment contains highly sensitive bootstrap material, including endpoint identity and secrets encrypted for the recipient. Even though the payload is encrypted, emailing bootstrap artifacts increases exposure through mail providers, misaddressing, mailbox compromise, and audit/log retention.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script relays message content to another host/session via `openclaw gateway call sessions.send` without any user-facing confirmation or consent check at the point of transmission. In a cross-host messaging skill, silent forwarding increases the risk of unintended data exfiltration, especially if upstream parsing or approval logic is bypassed or misused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The dry-run path prints the full relay envelope and JSON payload, which includes sensitive message content and can include the embedded per-peer auth secret in the `auth:` header line. Anyone with terminal visibility, shell history capture, CI logs, or transcript logging could recover credentials or private inter-host messages without the message ever being sent. In this skill context, cross-host messaging often carries sensitive operational data, which increases the risk of exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
In non-interactive mode, the script sets do_auto_register=true and proceeds to auto-register the agent and modify gateway configuration without a fresh confirmation at the point of action. Because the same run also later attempts PATH-related persistence, automation users may trigger host-wide changes unexpectedly. This is dangerous in CI or scripted deployment contexts where operators may expect only local config generation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The report writer persists raw API requests and responses to disk, and those payloads include full system prompts, user-supplied relay envelopes, and model outputs. In this skill context, that can capture inter-host message contents, host metadata, and operational instructions in plain report files without explicit notice or redaction, creating a real confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal