ClawHub

Orchard

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly coherent as an OpenClaw task manager, but it includes sensitive operational and data-flow behavior that users should review before installing.

Install only if you are comfortable with an autonomous task runner that can spawn OpenClaw subagents, persist project data under ~/.openclaw, and expose a local dashboard/API. Keep the UI bound to 127.0.0.1, avoid using non-local HTTP with bearer tokens, disable or carefully scope contextInjection/GEMINI_API_KEY if project text may be sensitive, and review any config-safety doc URLs before use. Treat the watchdog panel as an admin capability if your gateway exposes /wdog endpoints.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation exposes network and environment-related capabilities without declaring corresponding permissions, which undermines informed consent and security review. In an agentic plugin that can dispatch subagents and expose REST endpoints, hidden capability scope increases the risk of unintended data access, outbound requests, or privilege expansion beyond what operators expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a significant description-behavior mismatch: the skill claims to be a task/project manager, but the findings indicate additional config-safety profile management, external HTTP fetching, knowledge-base querying, and watchdog/restart operations. Undisclosed operational and control-plane features are dangerous because they can expand the plugin's authority, create covert functionality, and enable sensitive system actions that administrators would not expect from the advertised purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The route code fetches arbitrary user-supplied URLs and only blocks obvious private IP/host patterns. This is dangerous because it enables SSRF-like outbound access to attacker-chosen hosts, and the hostname-only checks are incomplete: they do not robustly protect against DNS rebinding, internal IP resolution via public hostnames, IPv6 edge cases, or redirects to internal resources.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The plugin description says only 'Agentic project management for OpenClaw' while this entrypoint also starts and registers HTTP routes and, when enabled, a standalone UI server. This is a real transparency and deployment-risk issue because operators may install the plugin without realizing it exposes local network services, which can weaken security assumptions and lead to unintended exposure if bind settings are changed or safeguards are misconfigured.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The dashboard exposes watchdog snapshot and safe-restart controls that are outside normal project/task management and can affect the availability and state of the broader gateway. In this agent/plugin context, giving UI users one-click access to restart infrastructure or capture snapshots materially expands the attack surface and can enable denial of service or sensitive state capture if authorization is weak or a token is compromised.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The dashboard exposes watchdog endpoints that can trigger gateway restarts and create snapshots from the same UI used for routine task management. Those are privileged operational controls with disruptive and potentially data-sensitive effects, so embedding them in this plugin materially expands its authority beyond its stated purpose and increases the blast radius if the UI, token, or operator session is compromised.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The UI stores the OpenClaw gateway bearer token in localStorage and automatically reuses it for API calls. localStorage is readable by any script running in the origin, persists across sessions, and is a common target during XSS or browser compromise, so this weakens credential handling for a sensitive gateway token.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The brief explicitly instructs the operator to use a real local gateway token in a manual curl test, but provides no warning about secure handling, scoping, redaction, or avoiding disclosure in logs and reports. In an agent-skill context, asking for real credentials increases the chance the token is pasted into shells, transcripts, build logs, or agent outputs, which could lead to unauthorized API access if exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script defaults to an HTTP base URL and sends the provided gateway token as a Bearer token in the Authorization header without enforcing TLS or warning the operator. If the service is reached over a non-local network, a man-in-the-middle or network observer could capture the token and use it to access OrchardOS APIs and associated project/task data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends arbitrary `text` and later `query` content to Google's external embedding API whenever an API key is configured, with no evidence here of consent checks, redaction, data classification, or restrictions on what content may be transmitted. In a project/task management plugin, that content can plausibly include sensitive project notes, task details, credentials, customer data, or proprietary information, creating a real confidentiality and compliance risk through unintended third-party data disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal