Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Agent Kanban
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This dashboard is purpose-aligned, but it can expose OpenClaw agent history and files through an unauthenticated network web server and includes misleading security/token handling.
Install only if you are comfortable reviewing and changing the defaults. Before running it, remove the hard-coded token, bind the server to 127.0.0.1, restrict CORS, add access control, and avoid using it on shared or untrusted networks.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI03: Identity and Privilege Abuse
High
What this means
The dashboard may run with unclear gateway authority, leak a bundled token, or require users to trust token handling that is not accurately disclosed.
Why it was flagged
The default config bundles a real-looking Gateway bearer token; server.js uses config.gateway.token in the Authorization header, while the registry metadata declares no primary credential and SKILL.md says the token is auto-loaded.
Skill content
gateway: { url: 'http://127.0.0.1:18789', token: 'c80aa67f773b3045792ba7afbf2e22fc09cb7b37c63019e3' }Recommendation
Remove hard-coded tokens, declare the Gateway token requirement, load only the user's explicitly configured token, and avoid exposing token-backed actions without authentication.
#
ASI07: Insecure Inter-Agent Communication
High
What this means
If the server is reachable from other devices or a browser visits a hostile page, agent histories and workspace files could be read without the user's intended approval.
Why it was flagged
The server listens on all interfaces, allows any browser origin, and provides unauthenticated endpoints that proxy Gateway session history and read local agent files.
Skill content
const HOST = config.server.host || '0.0.0.0'; ... res.header('Access-Control-Allow-Origin', '*'); ... gatewayInvoke('sessions_history', { sessionKey, limit: 100 }); ... fs.readFileSync(filePath, 'utf8')Recommendation
Bind to 127.0.0.1 by default, restrict CORS to the actual local origin, add dashboard authentication, and validate requested session keys and agent IDs.
#
ASI09: Human-Agent Trust Exploitation
Medium
What this means
Users may run the dashboard on a shared network believing it is local-only and CORS-restricted when the code does not enforce that.
Why it was flagged
These safety claims conflict with the supplied implementation, which uses HOST 0.0.0.0, CORS '*', and a hard-coded config token rather than loading the gateway token from openclaw.json.
Skill content
**Local Access Only**: Gateway URL must be localhost or private IP; **CORS Protected**: Only allows requests from localhost:3100; **Gateway Token is auto-loaded from `~/.openclaw/openclaw.json`**
Recommendation
Make the documentation match the implementation, or preferably change the defaults to enforce local-only access, strict CORS, and explicit token configuration.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
A CDN or dependency compromise could affect what the dashboard page does with displayed agent data.
Why it was flagged
The dashboard loads runtime JavaScript from a third-party CDN without shown integrity protection; that script runs in the same page that can call the dashboard's agent-data APIs.
Skill content
<script src="https://registry.npmmirror.com/react/18/files/umd/react.production.min.js"></script>
Recommendation
Pin exact dependency versions, use a lockfile, vendor critical frontend assets or add Subresource Integrity, and review dependency provenance.