ClawHub

oauth-coder-bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local bridge that routes OpenClaw requests through a locally authenticated Claude CLI session, with sensitive but purpose-aligned behavior.

Install only if you trust oauth-coder and the Claude CLI session on this machine. Keep the bridge bound to 127.0.0.1, review the ~/.openclaw/openclaw.json change, avoid sensitive logging, and enable systemd autostart only if you intentionally want this OAuth-backed local bridge running across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Execute with timeout
        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
92% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=REQUEST_TIMEOUT, encoding='utf-8',

Tainted flow: 'cmd' from os.environ.get (line 252, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# Execute with timeout
        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=REQUEST_TIMEOUT, encoding='utf-8',

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation describes capabilities including environment access, file read/write, network exposure, and shell/subprocess execution, but does not declare any permissions or constraints. This creates a transparency and trust problem: users may install and run a skill that modifies configuration, launches a local HTTP service, and invokes authenticated CLI tooling without an explicit permission model or warning surface.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
bash scripts/setup.sh              # copies bridge, adds claude-cli provider to openclaw.json
python3 ~/.openclaw/scripts/oauth-coder-bridge.py &
# Or: systemctl --user enable --now oauth-coder-bridge
```

## Verify
Confidence
80% confidence
Finding
systemctl --user enable

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal