ClawHub

Star Office UI

Security checks across malware telemetry and agentic risk

Overview

This is a real pixel-office dashboard skill, but it encourages public exposure while handling local notes and agent controls without enough access control or security guidance.

Install only for a trusted local or access-protected environment. Before exposing it publicly, add authentication, replace and rotate the default join keys, restrict state-changing endpoints, and disable or safely sanitize the memo feature if local memory files may contain sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior understates materially sensitive capabilities: reading local memory markdown files, pushing agent status to remote services, and performing administrative or service-management actions. That mismatch can mislead users into granting trust to a 'UI deployment' skill that also handles local data and external communication, increasing the chance of unintended data exposure or unsafe execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The endpoint documentation says joins should be pending authorization, but the implementation immediately sets authStatus to approved for any caller with a valid join key. This removes the intended human approval gate and turns possession of a reusable key into full access, which materially weakens access control for remote agents.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code assigns server-provided data.memo directly to memoContent.innerHTML after only replacing newlines with <br>, which does not sanitize HTML or script-bearing markup. If an attacker can influence the /yesterday-memo response, this becomes a DOM XSS sink that can execute arbitrary JavaScript in users' browsers, steal session data, or manipulate the UI.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script searches multiple local workspace paths and optionally arbitrary files for state/detail data, which goes beyond a narrowly scoped office-status push and can collect information from unrelated local agent workspaces. Because that collected detail is later transmitted to a remote office service, this broad discovery behavior increases the chance of unintended local data exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly recommends exposing the dashboard to the public via Cloudflare Tunnel or a public domain, but does not pair that guidance with clear warnings about authentication, join-key secrecy, data exposure, or network hardening. Because the project handles agent status, guest joins, and yesterday-memo content, users may deploy it Internet-accessible in an insecure default configuration and unintentionally expose operational or personal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to publish a localhost service through Cloudflare Tunnel and then share the public URL, but it does not require any warning about authentication, exposure of internal data, or who can access the endpoint. In context, this is more dangerous because the app may display agent state, yesterday's memo content, and multi-agent presence data, all of which may become internet-accessible immediately.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill recommends default shared join keys from the repository for onboarding additional agents, without warning that predictable or reused keys can allow unauthorized agents to join or impersonate participants. In a multi-agent dashboard, this can lead to spoofed presence, misleading status updates, or untrusted parties appearing in the office view.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal