ClawHub

OpenClaw Wallpaper

Security checks across malware telemetry and agentic risk

Overview

This wallpaper chat skill is mostly aligned with its purpose, but it exposes unauthenticated local services too broadly and includes unsafe file-serving and process-restart behavior.

Review carefully before installing. Use it only if you are comfortable running a local wallpaper chat server that stores conversations and can send messages or images to the OpenClaw Gateway. Before use, bind services to 127.0.0.1, restrict CORS, add authentication, remove or rotate the hardcoded gateway token, avoid the unsafe UI server, and disable or tightly scope automatic process restarts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes clear network behavior, including a local bridge server and communication with an OpenClaw gateway, yet no corresponding permissions are declared. Missing permission disclosure is a security issue because it prevents users and review systems from accurately understanding the skill’s network reach and trust boundary before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as a desktop wallpaper/chat experience, but the described behavior includes additional high-risk capabilities: hardcoded bearer token use, multiple local HTTP services, process management and restart logic, filesystem persistence, and image forwarding to a model. This mismatch is dangerous because users may consent to a cosmetic wallpaper feature without realizing they are installing a long-running service with credential handling, file storage, and network-exposed APIs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documented configuration sets the bridge server host to 0.0.0.0, exposing the service on all network interfaces instead of only localhost. For a desktop wallpaper chat bridge, this unnecessarily broadens access and can allow other devices on the network to reach endpoints such as chat, stream, clear, or health, increasing the chance of unauthorized interaction or data exposure.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code force-kills and respawns Node processes using taskkill and spawn, which gives the skill local process-management capability beyond simple wallpaper/chat behavior. In this context, the kill filter is broad and the restart happens automatically without validating ownership of the target process, creating risk of disrupting unrelated local services or masking persistent background behavior.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This file implements a persistent watchdog service with logging, health probing, status-file writing, and self-healing restarts, which is more invasive than the stated wallpaper/chat purpose suggests. The mismatch increases security concern because users may not expect a long-running local monitor that continuously checks services and maintains background persistence.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The server accepts base64-encoded images and forwards them to the backend model for analysis, but this capability is not clearly disclosed in the skill description. In a desktop-wallpaper context, users may reasonably assume they are only sending text; silently accepting screenshots or photos increases privacy risk because sensitive visual data may be transmitted and processed unexpectedly.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The code stores full conversation histories in local JSON files under a persistent data directory, but the description only broadly mentions context persistence. This creates an undisclosed local data-at-rest risk: private conversations remain on disk and may be accessible to other local users, backup systems, or malware.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The streamed request path calls trimHistory(history) but does not use its return value, so histories can continue growing and then be saved to disk unbounded despite comments claiming trimming. This can lead to excessive retention of sensitive chat data and potential disk or memory exhaustion over time in a 24/7-running wallpaper service.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code starts a local HTTP server that serves files from a fixed directory, which creates a broader file-serving capability than a wallpaper UI strictly requires. Even though it is bound to localhost by default, any local process or browser content able to reach 127.0.0.1:8080 can request files from that directory, increasing the attack surface and exposing local assets unintentionally.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The server derives the filesystem path directly from req.url using string concatenation and performs no normalization or containment check. An attacker can potentially use crafted paths such as traversal sequences to escape the intended wallpaper directory and read arbitrary local files accessible to the process.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises context persistence as a feature but does not clearly warn users that conversation history is automatically written to disk. This is risky because chat logs may contain sensitive personal data, and users may not expect a wallpaper application to retain those records locally across restarts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows the service listening on all interfaces but does not clearly warn users that this makes the bridge reachable from outside the local machine. That omission is dangerous because users may assume a desktop wallpaper component is local-only, while the actual configuration expands the attack surface to the surrounding network.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation flow promotes automatic installation and startup behavior, but the documentation does not clearly warn that scripts may modify the system, install software, and configure persistence at boot. This is a security concern because users may run privileged scripts without understanding they are enabling long-running background components and startup entries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script forcibly terminates and restarts processes automatically, with no user-facing warning, confirmation, or safe shutdown path. That can cause denial of service, data loss, or repeated service churn, especially if the health check fails due to transient conditions or if the wrong process is matched.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User messages and optional images are sent to a separate gateway service using an authorization token, but the skill does not provide clear user-facing disclosure that their content leaves the local wallpaper server for model processing. In this context, the desktop wallpaper may feel like a local companion app, so undisclosed forwarding materially increases privacy and trust risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The server writes conversation history to disk without a clear warning to users that their chats are being stored locally. For a desktop wallpaper assistant running continuously, silent persistence can expose highly personal or long-lived records beyond what users expect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Selected or pasted images are converted to base64 and transmitted to the backend without any clear privacy notice, consent prompt, or explanation of where the data goes or how it is handled. In a desktop wallpaper context, users may not expect clipboard images or local files to be uploaded, which increases the risk of accidental disclosure of sensitive screenshots or personal content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Beyond the path traversal risk, the code provides silent local file access behavior with no warning, consent, or documentation for users. In the context of a wallpaper skill, hidden local serving behavior is more suspicious because the stated purpose does not clearly require exposing a URL-driven file interface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal