ClawHub
Back to skill

Security audit

Clawculator

Security checks across malware telemetry and agentic risk

Overview

This looks like a real OpenClaw cost tool, but it under-discloses transcript scanning, file writes, and generated HTML that can contact Google.

Review before installing. Use it only if you are comfortable with a local cost-audit tool reading OpenClaw configs, session metadata, and transcript-derived usage files. Avoid opening or sharing generated HTML snapshots in privacy-sensitive/offline contexts until the Google Fonts import is removed, and review generated reports before sharing because they summarize session and cost history. Treat suggested fix commands as manual advice, not commands to run blindly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill metadata claims minimal/offline behavior, but static analysis indicates access to environment data plus network and shell-capable behavior without declaring corresponding permissions. That mismatch is dangerous because users and orchestrators may grant execution under false assumptions, enabling unexpected data exposure or command execution pathways.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a strong description-behavior mismatch: the skill advertises fully bundled, deterministic, offline analysis requiring only Node, yet analysis indicates it can start a local HTTP server, open a browser, watch files in real time, and use SQLite/web-dashboard features. Such hidden functionality materially expands attack surface and privacy risk because users may run it expecting a simple local report generator, not a persistent monitoring/dashboard component.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The inline help claims markdown mode is the only write behavior, but the code also supports --snapshot and writes output via generateSnapshotCard using a user-controlled output path. This is dangerous because users and downstream agents may rely on the stated write-scope when deciding whether to run the tool, leading to unexpected filesystem modifications and reduced trust in the tool's declared behavior.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The generated page states that it is '100% offline' and that data never leaves the machine, yet it imports Google-hosted fonts via CSS. Opening the HTML can therefore trigger a network request to a third party, creating a privacy and trust violation and contradicting the tool's explicit offline guarantees.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata promises that source is fully bundled and nothing is fetched at runtime, but the generated HTML fetches fonts from Google. This breaks the advertised security model and can leak user metadata such as IP address, user agent, and access timing to an external service whenever the snapshot is viewed.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
A billing-analysis skill that emphasizes offline operation has no clear functional need to contact Google Fonts. Even if the request is only for presentation, it expands the attack surface, defeats air-gapped/offline expectations, and creates unnecessary third-party data exposure in a context where users may reasonably expect local-only processing.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file contradicts the skill metadata by requiring the native better-sqlite3 module at runtime and even instructing the user to install it globally. This is a supply-chain and trust-boundary issue because the skill is presented as self-contained with only Node required, but actually expands the runtime dependency surface to a compiled third-party package.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code spawns external OS commands via child_process.exec to open a browser automatically. Even though the URL is locally constructed, launching shell commands is beyond the stated billing-analysis purpose and increases attack surface, especially on systems where command resolution or environment behavior is unusual.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The embedded HTML imports Google Fonts at runtime, which directly contradicts the claim that nothing is fetched at runtime. This creates undeclared outbound network access, leaks user metadata such as IP and user agent to a third party, and weakens the trust assumptions for an allegedly fully bundled local dashboard.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code parses local session transcript JSONL files and extracts message usage, model, timestamps, and cost data. Even if it does not exfiltrate data, it processes conversation-derived artifacts from the user's home directory without any consent gate, scope restriction, or visible disclosure, which creates a privacy risk because transcripts may contain sensitive prompts, metadata, and assistant outputs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The analyzer automatically enumerates agent session directories under ~/.openclaw and web-chat transcript files, expanding analysis beyond a single explicitly supplied file. That broad home-directory discovery increases the privacy impact because it can sweep in unrelated or stale conversations the user did not intend to have inspected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The HTML template interpolates analysis-derived values such as finding titles, labels, and counts directly into markup without escaping. If untrusted data can reach fields like titles, model labels, or other analysis content, an attacker could inject HTML or script into the generated file, leading to stored XSS when the local report is opened.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The dashboard stores transcript-derived usage and session data in a local SQLite database without any visible disclosure or consent mechanism in this file. Persisting behavioral data increases privacy risk because session names, IDs, timestamps, model usage, and cost history remain on disk beyond the original transcript files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code scans the user's home-directory OpenClaw agent/session files and continuously monitors transcript JSONL content without an explicit privacy warning. In this skill context, the access is related to billing analysis, but it still touches potentially sensitive local metadata and transcript-derived usage records, so undisclosed collection is risky.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
webDashboard.js:34

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
webDashboard.js:106