Security audit

ClawDef

Security checks across malware telemetry and agentic risk

Overview

ClawDef is a coherent local OpenClaw cost dashboard, but it has sensitive admin powers and automatic model-routing changes that deserve careful review.

Install only if you want ClawDef to administer OpenClaw, not merely observe it. Use limited-scope or budget-capped provider keys, protect the local admin account, review configured model providers, and pause or avoid the automatic optimizer if you do not want future prompts routed to different providers automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no explicit permissions while its documented behavior includes network access, shell-based installation/startup, local web serving, and modification of OpenClaw configuration. This creates a trust and review gap: users and tooling may underestimate the capability of the skill, increasing the chance of unsafe installation or execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The public description emphasizes a local token dashboard, but the documented behavior includes privileged management functions: authentication, role management, config editing, emergency control actions, chat proxying, provider health checks, file watching, and reading sensitive local data. This mismatch is dangerous because it hides the true attack surface and operational authority of the skill, leading users to grant trust to a much more powerful component than advertised.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The UI includes a full AI chat interface that goes beyond the declared token-optimization dashboard purpose. Expanding scope matters because it introduces a direct prompt/response surface to an agent backend, increasing exposure to prompt abuse, data leakage, and misuse under a misleading product description.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The page exposes skill management, provider management, failover controls, alerts, logs, chat, and user administration despite being described as a token-optimization dashboard. This scope mismatch is dangerous because operators may grant trust and permissions appropriate for a dashboard while the UI actually enables broad administrative actions over the agent environment.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The provider management view renders stored API keys directly in the page (`Key: '+(v.apiKey||'-')+'`). Exposing secrets in plaintext to any authenticated UI user greatly increases the risk of credential theft, lateral movement to external model providers, and downstream billing or data-access abuse.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: The sidebar exposes emergency shutdown and gateway restart controls directly in the dashboard UI. If access control is weak or the dashboard is trusted as low-risk, these controls allow a user to disrupt service availability or interfere with routing and operational integrity.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Built-in user management allows creating and deleting users and changing passwords from within a dashboard whose stated role is token optimization. This is a privileged identity-management function; if unexpectedly exposed, it expands the attack surface for privilege escalation and unauthorized account lifecycle changes.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The installer comments state that it only copies local files, but the script later runs `npm install --production`, which retrieves and executes third-party package installation logic. This discrepancy is dangerous because it misleads users and reviewers about network access and supply-chain exposure during installation, reducing informed consent and increasing the chance that risky behavior goes unnoticed.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill metadata claims it does not send user data to third parties, yet the installer contacts the npm registry to download dependencies. Even if no user content is intentionally uploaded, this still creates external network communication and introduces dependency and install-script supply-chain risk that contradicts the stated privacy model.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata claims it 'does not send user data to third parties', but the server contains explicit logic to contact external model-provider endpoints and proxy chat requests through the local gateway. This is a transparency and privacy issue: users may disclose prompts, API keys, and model metadata under a false assumption of strictly local processing.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Displaying stored provider API keys without masking or warning is a direct secret-exposure issue, not merely a UX concern. Any authenticated viewer, shoulder-surfer, screen recording, or XSS elsewhere in the app could harvest the credentials and use them outside the application.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The auto-route path can switch the active model in the shared OpenClaw configuration without an interactive warning, confirmation, or durable user consent. In this context, changing the configured model can materially alter privacy, cost, provider jurisdiction, and behavior of other agent workflows using the same config.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The optimizer executes automatic writes to the main OpenClaw configuration based on internal heuristics, again without prior disclosure or confirmation at the time of change. Because this tool is a token dashboard but controls central model selection, silent changes can unexpectedly route future prompts to different providers and affect spending or confidentiality.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn

Code: suspicious.destructive_delete_command
Location: SKILL.md:146