v1.0.3

Umbrel Proxy Manager

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:03 AM.

Analysis

The skill is mostly aligned with managing Umbrel services, but it can persistently rewrite OpenClaw plugin URLs from broad service-mapping data and ships a pre-generated local service inventory that users should review before running.

GuidanceBefore installing or running this skill, inspect scripts/umbrel_services.json, back up your OpenClaw config, and run any updater in dry-run mode first. Prefer the simple, hardcoded sync if you only need the listed OpenClaw services. There is no evidence of credential theft or external exfiltration in the artifacts, but the persistent config changes and bundled local-state file merit review.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/update_openclaw_config.py

for mapping in mappings:
        app_name = mapping['app_name']
        proxy_port = mapping['proxy_port']
        plugin_name = map_app_to_plugin(app_name)
...
cmd = f"openclaw config set {config_path} {base_url}"

The updater loops over all mappings and writes persistent OpenClaw plugin baseUrl settings without a confirmation step, rollback, or narrow allowlist.

User impactRunning the updater can redirect multiple OpenClaw plugins to local endpoints based on discovered or stored mappings, which may change how the user's agent integrations behave.

RecommendationBack up OpenClaw config first, run the updater with --dry-run, inspect the mapping file, and prefer an allowlisted/simple sync path unless broad updates are intended.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusConcern

CHANGELOG.md; scripts/umbrel_services.json

CHANGELOG: "Complete privacy reset... no personal data"; JSON: "service_name": "ghost_db_1", "service_ip": "10.21.0.46"

The privacy-cleanup claim is weakened by the bundled generated service inventory containing specific local service details.

User impactUsers may place more trust in the package's privacy posture than the artifacts support.

RecommendationTreat the privacy claims cautiously and require the maintainer to remove generated local-state files or clearly document why they are included.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/umbrel_proxy_sync.sh

check_dependency "docker" "Docker" || exit 1
check_dependency "python3" "Python 3" || exit 1
check_dependency "openclaw" "OpenClaw CLI" || exit 1
check_dependency "curl" "curl" || exit 1

The scripts require several local tools even though the registry requirements section declares no required binaries.

User impactThe skill may fail or behave unexpectedly on systems that do not already have these tools installed and available.

RecommendationRequire explicit metadata declarations for Docker, Python, OpenClaw CLI, curl, and Python package needs before trusting the install experience.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/simple_umbrel_sync.sh

docker ps --format "{{.Names}}" | grep -q "${service}_app_proxy_1"
...
openclaw config set "plugins.entries.${service}.config.baseUrl" "http://localhost:$port"

The script uses local Docker inspection authority and OpenClaw configuration write authority; this is expected for the purpose but should be understood before running.

User impactThe skill can read local container metadata and change OpenClaw plugin configuration under the privileges of the user running it.

RecommendationRun it only from an account that is intended to have Docker and OpenClaw configuration access.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/umbrel_services.json

"service_name": "bitcoin_app_1",
"service_ip": "10.21.21.8",
"proxy_name": "bitcoin_app_proxy_1",
"proxy_port": "2100"

The package includes a generated service-mapping JSON file with concrete local service names, IPs, and ports; the updater/test scripts use an umbrel_services.json file as reusable state.

User impactA stale or bundled mapping file could expose local service topology and, if reused, influence later OpenClaw config updates with data that did not come from the user's current system.

RecommendationDelete or inspect the bundled mapping file before use, generate a fresh mapping on the target machine, and do not run config updates from stored mappings you have not reviewed.