ClawHub

Approve new channels, and connections to openclaw ui and terminal

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local OpenClaw approvals dashboard, but it exposes powerful admin, token, and shell access with weak defaults and under-scoped controls.

Review carefully before installing. Only run it on localhost, change all credentials in both server.py and the HTML templates, set a strong Flask secret key, disable debug mode, remove the browser terminal unless truly needed, and do not expose this service to a network. Anyone who can access the UI may be able to see your gateway token, approve pairings, and use a local shell.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env['TERM'] = 'xterm-256color'
        env['COLORTERM'] = 'truecolor'
        
        process = subprocess.Popen(
            [shell],
            stdin=slave_fd,
            stdout=slave_fd,
Confidence
96% confidence
Finding
process = subprocess.Popen( [shell], stdin=slave_fd, stdout=slave_fd, stderr=slave_fd, start_new_session=True, env=env

Tainted flow: 'shell' from os.environ.get (line 595, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
env['TERM'] = 'xterm-256color'
        env['COLORTERM'] = 'truecolor'
        
        process = subprocess.Popen(
            [shell],
            stdin=slave_fd,
            stdout=slave_fd,
Confidence
82% confidence
Finding
process = subprocess.Popen( [shell], stdin=slave_fd, stdout=slave_fd, stderr=slave_fd, start_new_session=True, env=env

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill exposes a fully interactive terminal backed by a PTY and local shell, which is effectively arbitrary command execution. In the context of a web application handling pairings and device approvals, this capability is unrelated to minimal business need and greatly increases attack surface, especially since socket events are not tied to the Flask login decorator.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The page hardcodes an administrative password directly in client-side JavaScript and uses it to perform a privileged approval request to /approve. Any user who can load this page, inspect source, intercept traffic, or extract bundled assets can recover the credential and invoke the approval endpoint directly, enabling unauthorized approvals and likely broader administrative abuse if the password is reused.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The page contains a hardcoded approval secret in client-side JavaScript and uses it to invoke a privileged /approve action. Any user with access to the page, browser devtools, page source, or intercepted frontend assets can recover the password and perform approvals, defeating secrecy and exposing a sensitive administrative capability to the client.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dashboard inserts server-supplied fields such as channel_id, code, user_id, and device_name using innerHTML, which allows HTML or script-capable payloads to be injected into the page. In a real-time admin-style dashboard, this can become stored or reflected XSS that executes in the operator's browser and may enable credential theft, unauthorized actions, or full UI compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The server reads a gateway authentication token from local state and passes it into a rendered template, making secret exposure to the browser possible. If that page is viewed by an attacker, leaked through client-side scripts, browser extensions, logs, or XSS, the token could enable unauthorized access to the gateway.

Missing User Warnings

High
Confidence
98% confidence
Finding
The Paramiko helper embeds SSH hostname, username, and password directly in code and auto-trusts host keys. Hardcoded credentials and disabled host verification are dangerous because they encourage insecure deployment patterns and could enable credential theft or man-in-the-middle compromise if this code is ever activated.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
An interactive shell is started for connected clients without any explicit warning, gating, or user-consent boundary, which means the application silently provides command execution capability. In practice this is dangerous because it can turn any web exposure or socket access flaw into full host compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
A sensitive approval credential is embedded in a browser-delivered template with no protection, which means it is effectively public to anyone with page access. Because the credential is used to authorize a privileged action, disclosure of the secret directly undermines the trust boundary between normal users and administrators.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded approval password is not only embedded in the client but also transmitted in a request body during approval, meaning the secret is broadly exposed to every browser that loads the page and to logs, debugging tools, and any compromise of the client environment. The dashboard context increases risk because it appears to control pairing approvals, so disclosure of this secret directly enables unauthorized administrative operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal