ClawHub
Back to skill

Security audit

Umbrel Proxy Manager

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate Umbrel/OpenClaw admin purpose, but it can automatically rewrite local OpenClaw service settings with broad service discovery and weak safeguards.

Install only on an Umbrel/OpenClaw host you control. Review the scripts and the bundled umbrel_services.json before running sync commands, back up OpenClaw config first, prefer dry-run or discovery-only modes where available, and do not run the updater against mappings from an untrusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd: str) -> str:
    """Run a shell command and return output."""
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)
        return result.stdout.strip()
    except subprocess.CalledProcessError as e:
        return f"ERROR: {e.stderr.strip()}"
Confidence
96% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd: str) -> str:
    """Run a shell command and return output."""
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)
        return result.stdout.strip()
    except subprocess.CalledProcessError as e:
        print(f"Command failed: {cmd}")
Confidence
95% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes and encourages use of shell commands, network access, file reads, and file writes, including modifying OpenClaw configuration and probing Docker-exposed services, yet it declares no permissions. This creates a trust and consent gap: a user or platform may treat the skill as low-privilege while it is designed to perform privileged local enumeration and configuration changes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This JSON inventory includes mappings for clearly non-proxy and sensitive internal services such as databases, SMB, Syncthing, BitTorrent, and other administrative or peer-to-peer ports, while the skill description says it should map services to accessible host proxy ports. If downstream automation trusts this file to generate routing or OpenClaw config, it can unintentionally expose internal-only services and expand the attack surface well beyond intended web app access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Multiple unrelated internal ports are associated with a single proxy entry, especially around the bitcoin proxy mapping, causing one proxy identity to represent many backend services that were likely never meant to be reachable through that path. In this skill context, which automatically discovers services and updates config, that broadens exposure and increases the chance of accidental publication of sensitive internal interfaces.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README repeatedly advertises automatic OpenClaw configuration updates but does not clearly warn users that executing the skill will modify local application configuration and may be suitable for cron-based automation. In a security-sensitive admin tool, undocumented side effects can lead users to run scripts with more trust than warranted, causing unintended configuration drift or exposure of services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start and usage commands instruct users to run sync scripts directly, but the surrounding text does not clearly disclose that these scripts may change OpenClaw configuration as a side effect. This is dangerous because users commonly treat README commands as safe examples, and executing them could silently alter routing or plugin settings in a way that expands access to local services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Describing the one-shot sync as discovery, config update, and connectivity testing without an explicit caution understates that it both mutates configuration and performs network probing. In the context of a tool that discovers Docker services and maps them to host ports, this can cause unintended exposure, operational changes, or surprise scans of local endpoints when run by an administrator or automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically modifies OpenClaw plugin configuration based on local service detection without any confirmation, dry-run mode, or explicit opt-in. In an admin automation context this may be intentional, but it is still a real security and safety concern because running the script can silently change trusted endpoints, causing misrouting, unexpected exposure of local services, or persistence of incorrect settings if the detected service is not the intended one.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This block silently updates the matrix plugin baseUrl to localhost:8008 when the endpoint appears reachable, again without operator confirmation. Because matrix traffic can be security-sensitive, automatic reassignment of the homeserver endpoint may disrupt communications, redirect the plugin to an unintended local service, or create hard-to-notice configuration drift if the script is run in the wrong environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically writes configuration changes to OpenClaw for any service it deems reachable, without prompting the user or requiring a dry-run/confirm flag. In an automation context, this can silently alter routing or integrations and make unintended service endpoints active, which is especially risky because the skill claims to manage proxy services and touches gateway-related configuration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.