ClawHub

OrchardOS

Security checks across malware telemetry and agentic risk

Overview

OrchardOS appears to be a real task-management plugin, but it includes admin-level controls and external data flows that should be reviewed before installation.

Review before installing in sensitive workspaces. Use a scoped or non-production gateway token, keep the UI bound to 127.0.0.1, do not enable unsafe LAN binding unless intentional, disable context injection or remove GEMINI_API_KEY if project data must stay local, and treat debug/watchdog controls as administrator-only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
74% confidence
Finding
The skill documentation declares no permissions, yet the detected capabilities include environment access and network access. In an agentic plugin that can auto-dispatch subagents and expose a REST API, undeclared powerful capabilities reduce transparency and can enable data exfiltration, unauthorized outbound requests, or misuse of sensitive runtime configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is task management, but the detected behavior includes semantic storage/search, external documentation fetching, safety-profile injection, and watchdog/restart-related controls outside that scope. This mismatch is dangerous because users may grant trust and deployment approval based on incomplete expectations while the plugin performs broader actions that can influence agent behavior, expand attack surface, or interact with sensitive operational controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code can fetch attacker-controlled external URLs and include the returned content in generated injection text. Although it blocks some private address ranges, it still enables outbound requests and trust of remote content, which can be abused for prompt-injection, data exfiltration via request metadata, or access to unintended hosts due to incomplete SSRF protections such as DNS rebinding/resolution gaps and unrestricted redirects to alternate hosts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The UI includes broad operational controls for debug settings, queue pause/resume, tick forcing, and circuit-breaker open/close/reset. Those functions can alter scheduling and safety behavior of the agent system, so exposing them in a task-management dashboard increases the attack surface and can be abused to disable safeguards or manipulate execution.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The UI includes broad operational controls for debug settings, queue pause/resume, tick forcing, and circuit-breaker open/close/reset. Those functions can alter scheduling and safety behavior of the agent system, so exposing them in a task-management dashboard increases the attack surface and can be abused to disable safeguards or manipulate execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The dashboard exposes powerful watchdog actions that can restart the gateway and create snapshots directly from the UI. In a task-management plugin, these are high-impact administrative controls; if the dashboard or its token is accessed by an unintended party, they enable denial of service and potentially sensitive-state capture through snapshots.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The brief explicitly instructs the operator to use a real local gateway token in a manual smoke test, which normalizes handling live credentials during development workflow. Even though it does not directly exfiltrate the token, embedding this instruction in a skill increases the chance that sensitive credentials are pasted into shell history, logs, screenshots, or shared transcripts, especially in agent-assisted environments.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script defaults to an insecure HTTP endpoint and then sends a bearer token in the Authorization header to that endpoint. If the service is accessed over anything other than a strictly local and trusted loopback path, the token can be exposed to local interception, proxying, port forwarding, container/VM boundary issues, or accidental remote rebinding/misconfiguration; the script also provides no warning before transmitting credentials over cleartext.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code sends arbitrary knowledge content and search queries to Google's embedding API whenever context injection is enabled and an API key is present. In a project/task-management plugin, that content can plausibly include proprietary project data, task details, credentials pasted into tasks, or other sensitive operational context, so silent external transmission creates a real confidentiality and privacy risk even if the feature is intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The gateway bearer token is persisted in `localStorage`, making it accessible to any JavaScript executing in the page origin, including future XSS or compromised dependencies on that origin. Because this token authorizes API access to Orchard/OpenClaw functionality, theft of the token can lead to account or system misuse beyond a single session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The gateway token is persisted in localStorage, making it accessible to any JavaScript executing in the page origin, including code introduced through XSS or compromised same-origin content. Because this token authorizes backend operations including sensitive debug and watchdog actions, token theft can lead to full dashboard/API compromise.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal