Back to skill

Security audit

Clawlink

Security checks across malware telemetry and agentic risk

Overview

ClawLink appears purpose-built for encrypted bot messaging, but it stores decrypted message history locally and enables broad messaging triggers with limited user-facing disclosure.

Install only if you are comfortable with a background polling entry, relay-based metadata exposure, and readable local message archives under ~/.openclaw/clawlink. Avoid sending highly sensitive content unless local disk access and backups are controlled, and do not run the bundled test scripts against a real profile.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises networked messaging behavior and local data handling, but the metadata shown in SKILL.md does not declare permissions for network or environment/file access. Missing permission declarations weaken reviewability and sandbox enforcement because an installer or agent may grant capabilities implicitly without informed consent. In a messaging skill, undeclared network access is especially relevant because it can transmit user content off-device.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The declared description frames the skill as simple encrypted friend messaging, but the documented behavior extends to local message persistence, message readback APIs, delivery-policy automation, invite workflows, and modification of HEARTBEAT.md. This mismatch can mislead users and reviewers about the scope of data collection, automation, and system integration, reducing informed consent and increasing the chance of unintended exposure of sensitive messages.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The handler exposes direct inbox/outbox listing and arbitrary message reading by filename, which goes beyond the user-facing messaging scope described in the manifest. Even if intended for convenience, this increases access to stored message contents and metadata, creating privacy risk and expanding the attack surface for any caller that can invoke the skill.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This helper claims to convert an Ed25519 secret key to X25519, but it actually takes the first 32 bytes of the Ed25519 secret key and uses them directly as an X25519 private key. That is not the documented or safe conversion process, can produce incompatible/shared-secret mismatches with peers using proper conversion, and undermines the security guarantees of the messaging protocol by deriving encryption keys incorrectly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module stores message bodies and metadata as plaintext markdown under the user's home directory, which directly undermines the stated end-to-end encrypted messaging expectation. Even if transport encryption exists, local plaintext persistence exposes sensitive communications to other local users, malware, backups, or forensic access, creating a confidentiality gap users are unlikely to expect.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation explicitly advertises a plaintext audit trail of communications, which conflicts with the product's encrypted messaging security model and signals intentional retention of sensitive content after decryption. In this skill context, users are likely to rely on privacy guarantees, so behavior/documentation mismatches increase the risk of unsafe handling and misleading trust assumptions.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This script is presented as creating a test identity, but it also reads the real user's ClawLink identity from the home directory and modifies the real friends database. That creates unintended cross-environment state changes and can silently alter production-like trust relationships, which is especially risky in a messaging skill handling cryptographic identity material.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The header comment claims the script only creates a test identity, but the implementation also mutates a real user's friendship records. This misleading behavior increases the chance that a developer runs the script without understanding it will alter real data and trust state.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Triggers such as 'send message to', 'tell [name] that', and 'message from' are broad enough to collide with ordinary conversation or unrelated tasks. In an agent environment, that can cause accidental invocation of a networked messaging action, potentially sending sensitive text to external recipients or altering friend-management state without the user realizing a skill was activated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Outgoing messages are written to disk with recipient, timestamp, message ID, urgency, context, and full message text, but there is no explicit user-facing warning or consent. In an encrypted messaging skill, silent local retention is dangerous because it defeats user expectations of confidentiality and increases exposure through local compromise or shared-device access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Inbound messages are automatically stored as readable files without any clear notice that private communications will persist on disk. Given the skill's end-to-end encrypted messaging context, this is more dangerous because decrypted inbound content may remain available to local attackers, backups, indexing services, or other processes long after receipt.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad natural-language phrases like 'send message to', 'tell * that', and 'message from', which are likely to activate during ordinary conversation. In a messaging skill, this increases the chance of unintended invocation and accidental transmission of user-supplied content to another bot or remote relay.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The manifest acknowledges a remote relay endpoint and storage of a local identity file, but it does not clearly communicate privacy implications, retention expectations, metadata exposure, or what content leaves the device. For an end-to-end messaging feature, incomplete disclosure can cause users to unknowingly expose contacts, message metadata, or sensitive communications behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script decrypts end-to-end messages and persistently stores the plaintext in a local inbox directory without any user-facing disclosure, opt-in, retention control, or permission hardening. In a messaging skill, silent local persistence materially weakens the privacy guarantees users may expect from encrypted transport, because any local compromise, shared account access, backup sync, or forensic access can expose message contents after decryption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script stores plaintext message content in a local outbox JSON file after sending, but the skill is explicitly marketed as encrypted messaging. That creates a confidentiality gap: anyone with local access to the user account, backups, synced dotfiles, or endpoint malware can read message history even if transport encryption is strong, and the user is not clearly warned about this behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This test script generates an identity containing both signing and X25519 secret keys and writes that material in plaintext to /tmp without any warning, access control hardening, or cleanup. Even in a test context, storing long-lived private keys in a world-accessible or weakly protected temporary location can expose credentials to other local users, malware, backup systems, or accidental reuse in non-test workflows.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script silently reads Dave's identity.json from the user's home directory, which is sensitive local key material, in order to simulate sending a friend request. Accessing another local identity store without explicit disclosure or consent is risky because it normalizes secret-key access in automation and could be repurposed to exfiltrate or misuse local credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script loads real identity data from ~/.openclaw/clawlink/identity.json and uses secret key material to derive shared secrets without any user warning or isolation boundary. Accessing and operating on live private key material in a test helper expands exposure of sensitive secrets and makes accidental misuse of production credentials more likely.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script writes directly to the user's real friends.json with no explicit warning, backup, or confirmation. This can silently add or overwrite trusted contacts, corrupt user state, and create unauthorized messaging relationships in an end-to-end encrypted social graph.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The page instructs users to start the skill with a very generic phrase, 'clawphone,' while the metadata shows multiple broad natural-language triggers such as 'send message to' and 'tell [name] that.' In a voice or conversational environment, broad invocation patterns can cause accidental activation during ordinary speech, potentially sending messages or exposing private content through unintended skill execution.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The website emphasizes privacy and encryption but does not clearly warn users that messages transit relay infrastructure and that metadata such as public keys, routing information, timing, and social graph data may be visible to external systems. For a messaging skill that communicates with other agents, this omission can mislead users into oversharing sensitive information under an overly broad assumption of total privacy.

Exfiltration Commands

High
Category
Prompt Injection
Content
- clawlink
  - friend link
  - add friend
  - send message to
  - tell [name] that
  - message from
  - accept friend request
Confidence
81% confidence
Finding
send message to

Known Vulnerable Dependency: @stablelib/ed25519==2.0.2 — 1 advisory(ies): GHSA-x3ff-w252-2g7j (StableLib Ed25519 Signature Malleability via Missing S < L Check)

Low
Category
Supply Chain
Confidence
89% confidence
Finding
@stablelib/ed25519==2.0.2

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli.js:29

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/install.js:58

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
test/test-relay.js:175

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/setup.js:44

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/test-friend-request.js:24

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/test-setup.js:22