ClawHub

Adguard Home

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AdGuard Home monitoring skill, but it handles admin credentials and can show private DNS activity.

Prefer environment variables or a secrets manager. If using adguard-instances.json, keep it out of version control and restrict it to owner-only permissions. Treat query-log and client output as private browsing and network metadata, and install this only where the agent/user should have AdGuard administrative visibility.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The version history states that file-based credential loading was removed, but the documentation still instructs users to create `adguard-instances.json` containing admin credentials in plaintext. This contradiction can mislead users into storing sensitive credentials insecurely and creates a realistic risk of credential exposure through local compromise, backups, screenshots, or accidental source control inclusion.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a real security issue in the report: it simultaneously claims the skill is 'Production Ready' and that vulnerabilities are fixed, while still documenting plaintext credential storage in a world-readable/group-writable configuration file. That contradiction can mislead users into deployment despite unresolved credential exposure risk.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The header comment understates the skill's capabilities by claiming it only queries DNS statistics and configuration, while the implementation also retrieves query logs and client data. This can mislead users or reviewers into granting trust or credentials without realizing the skill accesses more sensitive operational and privacy-related information.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The document explicitly recommends using `cat` to display `~/.openclaw/workspace/adguard-instances.json`, which the same audit acknowledges contains plaintext credentials. Even though this is framed as an operational check, presenting a direct command to print secrets without a warning increases the chance of accidental credential exposure in terminals, logs, screen shares, or shell history.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill prominently advertises query log and client activity features, and the examples show domains, blocking decisions, and client IP addresses, but there is no clear privacy warning near the feature description or command usage. In practice, these commands can expose sensitive browsing metadata, internal network structure, and user/device activity to anyone with access to the skill output.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The querylog command fetches and prints recent DNS queries, including domains, client identifiers, timestamps, and matching rules. This exposes sensitive browsing and network-activity data to whoever runs the skill or can view its output, creating a privacy and operational-information disclosure risk, especially in shared terminals, logs, or agent execution environments.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The clients command enumerates configured and auto-discovered clients and prints names or identifiers that may reveal internal hostnames, device identities, or network structure. In many environments this is sensitive inventory information and should not be disclosed casually without clear notice or least-privilege controls.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
**Issue:** Credentials stored in plaintext in `adguard-instances.json`

**Current Permissions:**
```bash
-rw-rw-r-- 1 foxleoly foxleoly 268 Feb 24 00:39 adguard-instances.json
```
Confidence
91% confidence
Finding
Permissions:*

Excessive Permissions

Low
Category
Privilege Escalation
Content
**Issue:** Credentials stored in plaintext in `adguard-instances.json`

**Current Permissions:**
```bash
-rw-rw-r-- 1 foxleoly foxleoly 268 Feb 24 00:39 adguard-instances.json
```
Confidence
95% confidence
Finding
Permissions:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal