ClawHub

Ai Bill Clawhub

Security checks across malware telemetry and agentic risk

Overview

This looks like a real billing dashboard, but it reads local OpenClaw session/config data, exposes billing APIs without real authentication, and installs persistent services through a risky remote installer.

Install only if you intentionally want a persistent billing monitor that reads local OpenClaw session metadata. Keep port 8003 and /var/www/html/bill private, do not treat the client-side PIN as security, review the installer before running it, and prefer adding server-side authentication plus explicit controls for starting, stopping, and deleting collected billing data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The collector reads agent session data, billing vault data, and OpenClaw runtime configuration from root-scoped local files, which exceeds the minimum data needed for a simple usage exporter and creates unnecessary access to broader runtime state. Even though the code appears aimed at billing/telemetry rather than overt exfiltration, aggregating sensitive local state and publishing derived results to web-served files increases exposure if the component is repurposed, misconfigured, or compromised.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The lock screen is only enforced in client-side JavaScript with a hardcoded 4-digit secret (`SECURE_CODE = "1234"`), so any user can read, modify, or bypass it through browser devtools. This creates a false sense of security around billing or usage information and allows unauthorized local access to protected UI functions without any real authentication boundary.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script claims to fetch pricing data from a trusted central repository, but instead overwrites the local pricing file with hardcoded synthetic data. This is dangerous because downstream billing or model-selection logic may trust the file as authoritative, causing silent misbilling, bad business decisions, or policy bypass through falsified pricing data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README states that a background collector scans active sessions and archives usage data, but it does not clearly disclose what session data is accessed, how long it is retained, or the privacy implications for users. In a billing/monitoring skill, silent or under-documented session inspection can expose sensitive usage metadata and normalize monitoring without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly tells an agent it may update `vault.json` on the user's behalf, but provides no requirement for user confirmation, authorization checks, validation, or audit logging. Because `vault.json` stores balances and payment modes, unauthorized or mistaken writes could alter billing state, trigger incorrect charges, or hide spending issues.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code reads /root/.openclaw/openclaw.json to extract runtime provider/model defaults without any access control boundary, minimization, or disclosure to the user. While it does not directly expose secrets in this snippet, reading root-owned configuration broadens the blast radius because such files often contain sensitive operational settings and may later include credentials or internal endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer performs privileged package-management actions via sudo without an explicit upfront warning or confirmation that system packages and services will be modified. In the context of a one-line installer, this increases the chance that users grant elevated privileges to code they have not reviewed, which can lead to unintended system-wide changes if the script or its source is compromised.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script downloads an archive from a remote GitHub repository, extracts it, and immediately runs npm install and service setup without clearly warning the user that remote application code will be fetched and executed. This is especially risky in an installer designed for curl|bash-style use, because a compromised repository, dependency, or network path could result in arbitrary code execution on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The /api/setup endpoint accepts arbitrary client-supplied configuration values and writes them directly to vault.json on the server without any authentication, authorization, CSRF protection, or user disclosure/confirmation. Because /api/vault also exposes the stored contents back to any caller, an attacker on the network or a malicious web page could overwrite billing configuration and potentially read or tamper with sensitive financial/account state.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if ! command -v unzip &> /dev/null; then
    echo "📦 Installing unzip..."
    if command -v apt-get &> /dev/null; then
        sudo apt-get update -qq && sudo apt-get install -y -qq unzip
    elif command -v yum &> /dev/null; then
        sudo yum install -y unzip
    elif command -v dnf &> /dev/null; then
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if ! command -v unzip &> /dev/null; then
    echo "📦 Installing unzip..."
    if command -v apt-get &> /dev/null; then
        sudo apt-get update -qq && sudo apt-get install -y -qq unzip
    elif command -v yum &> /dev/null; then
        sudo yum install -y unzip
    elif command -v dnf &> /dev/null; then
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if command -v apt-get &> /dev/null; then
        sudo apt-get update -qq && sudo apt-get install -y -qq unzip
    elif command -v yum &> /dev/null; then
        sudo yum install -y unzip
    elif command -v dnf &> /dev/null; then
        sudo dnf install -y unzip
    elif command -v brew &> /dev/null; then
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
elif command -v yum &> /dev/null; then
        sudo yum install -y unzip
    elif command -v dnf &> /dev/null; then
        sudo dnf install -y unzip
    elif command -v brew &> /dev/null; then
        brew install unzip
    else
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo "🚀 Setting up services..."
if command -v systemctl &> /dev/null; then
    # Linux with systemd
    sudo cp systemd/*.service /etc/systemd/system/
    sudo systemctl daemon-reload
    sudo systemctl enable ai-bill ai-bill-collector
    sudo systemctl start ai-bill ai-bill-collector
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if command -v systemctl &> /dev/null; then
    # Linux with systemd
    sudo cp systemd/*.service /etc/systemd/system/
    sudo systemctl daemon-reload
    sudo systemctl enable ai-bill ai-bill-collector
    sudo systemctl start ai-bill ai-bill-collector
    echo "✅ Services started!"
Confidence
90% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Linux with systemd
    sudo cp systemd/*.service /etc/systemd/system/
    sudo systemctl daemon-reload
    sudo systemctl enable ai-bill ai-bill-collector
    sudo systemctl start ai-bill ai-bill-collector
    echo "✅ Services started!"
elif [[ "$OSTYPE" == "darwin"* ]]; then
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo cp systemd/*.service /etc/systemd/system/
    sudo systemctl daemon-reload
    sudo systemctl enable ai-bill ai-bill-collector
    sudo systemctl start ai-bill ai-bill-collector
    echo "✅ Services started!"
elif [[ "$OSTYPE" == "darwin"* ]]; then
    # macOS
Confidence
94% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
# Linux with systemd
    sudo cp systemd/*.service /etc/systemd/system/
    sudo systemctl daemon-reload
    sudo systemctl enable ai-bill ai-bill-collector
    sudo systemctl start ai-bill ai-bill-collector
    echo "✅ Services started!"
elif [[ "$OSTYPE" == "darwin"* ]]; then
Confidence
98% confidence
Finding
systemctl enable

External Script Fetching

High
Category
Supply Chain
Content
#!/bin/bash

# AI Bill Intelligence - One-line Installer
# Usage: curl -fsSL [URL] | bash

set -e
Confidence
99% confidence
Finding
curl -fsSL [URL] | bash

Chaining Abuse

High
Category
Tool Misuse
Content
#!/bin/bash

# AI Bill Intelligence - One-line Installer
# Usage: curl -fsSL [URL] | bash

set -e
Confidence
99% confidence
Finding
| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal