ClawHub

Model Switchboard

Security checks across malware telemetry and agentic risk

Overview

The skill’s main model-management purpose is legitimate, but its bundled local dashboard can change configuration and write API keys without authentication or CSRF protection.

Review before installing. The CLI portion is largely purpose-aligned, but treat the bundled dashboard as privileged local admin software. Prefer CLI commands, do not run the UI server on shared or untrusted machines, and avoid saving long-lived provider keys unless you are comfortable with plaintext local .env storage and the localhost API exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The backend exposes an unauthenticated secret-management API that can set and delete arbitrary environment keys via HTTP. Any local webpage or process able to reach 127.0.0.1:8770 can abuse the permissive CORS policy to plant attacker-controlled credentials, swap provider tokens, or break integrations, which is a high-impact integrity issue with potential credential compromise.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The server provides broad HTTP-driven mutation of local OpenClaw configuration and rollback state without any authentication or authorization checks. Combined with listening on localhost and allowing all origins, this enables cross-site request attacks from a browser to silently reconfigure models, channels, or backups, undermining agent behavior and trust boundaries.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The `openrouter/auto` entry explicitly states it 'auto-selects best available model' while being marked safe for `primary` and `fallback` roles, but the registry provides no concrete constraints on what providers, model classes, trust boundaries, cost ceilings, or data-handling policies govern that selection. In a model registry used for agent role assignment, unconstrained auto-routing can send sensitive prompts or tool-enabled workflows to an unexpected backend, creating policy bypass, data exposure, reliability, and compliance risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The modal tells users that API keys will be saved to .env, but it does not present a clear warning about the security implications of storing long-lived secrets in a local plaintext environment file. In a skill that directly manages provider credentials, insufficient disclosure increases the chance users store sensitive keys in unsafe locations or on shared systems without understanding the risk.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The UI offers one-click 'Auto-Fix' actions that POST to configuration-changing endpoints without presenting a clear confirmation or preview of the changes. While this appears intended for convenience, silent modification of model configuration can produce unexpected behavior and weakens change-awareness for security-relevant settings.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Credential writes and deletions occur silently through API calls, with no user-facing warning, approval step, or durable audit trail. In this service context, that meaningfully increases the danger of the unauthenticated secret-management endpoints because malicious or accidental secret changes may go unnoticed.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Configuration writes, backup creation, and rollback are privileged file operations exposed through the backend without explicit warning or audit disclosure. While not the root cause, the lack of transparency makes unauthorized or accidental changes harder to detect and recover from, increasing operational and security risk.

Credential Access

High
Category
Privilege Escalation
Content
api('POST', '/api/key', { key: envVar, value: input.value.trim() })
    .then(function(res) {
      if (res.ok) {
        showModalStatus('success', '✓ Saved ' + envVar + ' to .env');
        toast('✓ ' + envVar + ' saved to .env', 'success');
        setTimeout(function() {
          closeModal();
Confidence
88% confidence
Finding
.env'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal