ClawHub
Back to skill

Security audit

Openclaw Cli Bridge Elvatis

Security checks across malware telemetry and agentic risk

Overview

The skill is a real OpenClaw CLI/browser bridge, but it also performs high-impact actions with weak scoping, including automatic notifications to a fixed WhatsApp number and broad local agent execution.

Install only if you trust the publisher with local OAuth tokens, browser session cookies, OpenClaw configuration changes, and autonomous local CLI execution. Before enabling it, remove or reconfigure the hard-coded WhatsApp recipient, use a strong proxy API key, restrict localhost access, review the automatic config/auth-store modifications, and avoid using it on shared or sensitive machines unless browser profiles and auth files are protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises shell, network, and environment-backed behavior but declares no permissions, which prevents users and reviewers from accurately understanding its trust boundary. In this context, the undocumented capabilities are significant because the skill bridges local CLIs, browser sessions, local HTTP services, and credential material, so under-declaration increases the chance of unsafe installation and misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose materially understates the skill's real behavior: it accesses Codex auth tokens, modifies OpenClaw configuration, adds undocumented providers and commands, exposes HTTP/session endpoints, and sends outbound WhatsApp notifications. This is dangerous because users may install it expecting only local CLI/browser bridging, while it also handles credentials, rewrites config, and transmits status externally, creating a larger attack surface than disclosed.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The plugin sends provider session-status notifications to a hard-coded WhatsApp number unrelated to core bridge functionality. This creates an unauthorized data exfiltration path: session state, operational status, and potentially environment metadata are transmitted off-host to a fixed external recipient without user-configurable consent.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The bridge explicitly launches external agentic CLIs in fully autonomous modes, including Gemini `--approval-mode yolo`, Claude `--permission-mode bypassPermissions` with `--dangerously-skip-permissions`, and Codex `--full-auto`. Because prompts are derived from user-controlled chat messages and these CLIs may execute tools or act on the local environment, this removes the last interactive safety barrier and can turn prompt injection or malicious user input into real local actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The Codex path performs side effects on the filesystem by calling `ensureGitRepo(cwd)` and running `git init` when `.git` is absent. For a component described as a provider bridge, silently mutating the selected working directory can alter user files, create hidden metadata, and expand the trust boundary beyond simple model routing.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The code claims to write the auth store atomically but actually overwrites the target file directly with writeFileSync. If the process crashes or the disk write is interrupted, auth-profiles.json can be left truncated or corrupted, potentially breaking authentication and exposing a race window when handling sensitive token material.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The configuration hard-codes a personalized system prompt that names a specific user and timezone, which is unrelated to the bridge plugin's core function. This can cause privacy leakage, misattribution, and behavior steering across all BitNet requests, especially if the plugin is redistributed or used by other operators who unknowingly inherit someone else's identity context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The generic fallback uses the user-controlled model identifier as the executable name, allowing this bridge to launch arbitrary local programs rather than only the advertised AI CLIs. In the context of an agent skill that brokers model execution, this expands capability from model selection to arbitrary command execution, which can expose local data, run destructive binaries, or invoke attacker-planted executables found on PATH.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Automatically running `git init` mutates the user's supplied or default working directory, which exceeds the expected scope of session management and may alter repository state in home or project directories. Even though the command is fixed, it creates persistent side effects and can interfere with tooling, secrets handling, or downstream automation that reacts to the presence of a Git repository.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README documents commands that persist authenticated browser profiles and cookies under ~/.openclaw without clearly warning users that sensitive session material is stored locally and may grant continued account access. On shared hosts or poorly permissioned systems, these profile directories can expose long-lived sessions to other local users or backups.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The plugin is documented as reading OAuth tokens from ~/.codex/auth.json, which is credential access to locally stored secrets. Even if intended functionality, failing to prominently warn users about token reuse and local secret handling increases the risk of accidental exposure, over-trust, or deployment on systems where that file should not be consumed by third-party plugins.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatic WhatsApp alerts transmit provider/session state to an external messaging channel without clear upfront consent or disclosure of exactly what metadata leaves the machine. Even if the content is limited to expiry and login commands, it can reveal provider usage, account state, and operational details that may be sensitive in many environments.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The startup and keep-alive code transmit session-health information externally via WhatsApp without any evident user-facing disclosure or consent in this file. Silent export of authentication/session state is dangerous because it leaks sensitive operational telemetry and can reveal what services the user is logged into and when sessions expire.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly describes reading local Codex authentication data and exposing a local HTTP proxy, yet provides no user-facing warning about credential handling, data flow, or trust boundaries. In this skill context, that omission is security-relevant because users may unknowingly grant access to sensitive auth material or route prompts and responses through a local service without understanding exposure risks, increasing the chance of credential misuse, prompt leakage, or unintended local access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code auto-initializes a git repository without any warning, prompt, or visible consent flow. This is dangerous because it creates persistent hidden state in the target directory and may surprise users, especially when combined with autonomous CLI execution against home-directory defaults.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The file is designed to copy OAuth access and refresh tokens from one credential store into another automatically on startup, without any visible consent or disclosure mechanism in this code path. Even if intended for convenience, silently propagating sensitive credentials increases the blast radius of token compromise and may surprise users who did not expect cross-store persistence.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code reads a sensitive OAuth file from the user's home directory and writes the tokens into another persistent auth store by default. In the context of a plugin that bridges external model providers, that silent credential propagation is more dangerous because it expands where high-value tokens reside and creates additional storage locations that must now be protected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code reads OAuth credentials directly from a local auth store and exposes them to the surrounding provider bridge without any explicit user consent, warning, or runtime disclosure at the point of access. In the context of a skill whose purpose is to bridge third-party AI accounts into another system, silent token reuse materially increases the risk of unexpected credential exfiltration, account misuse, or users unknowingly granting broader access than intended.

Natural-Language Policy Violations

Medium
Confidence
99% confidence
Finding
The prompt forces 'Current user: Emre' and 'Timezone: Europe/Berlin' without user opt-in, creating implicit identity and locale assumptions for model outputs. In a bridge skill that proxies multiple providers and sessions, this is more dangerous because it can silently contaminate responses, leak developer-specific metadata, and produce incorrect or privacy-impacting behavior for every downstream user of the BitNet path.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends the full flattened prompt to gemini.google.com through browser automation, which can expose sensitive user or system-prompt data to a third-party web service. In a bridge skill that routes local AI workflows into browser-hosted providers, this is a real privacy and data-governance risk if users are not clearly informed and do not explicitly consent to remote transmission.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The streaming code path also types and submits the full prompt to gemini.google.com, creating the same third-party data exposure risk as the non-streaming path. Because this skill's purpose is to bridge local tooling with browser sessions for hosted AI providers, users may incorrectly assume prompts stay local unless the transfer is made explicit.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function transmits flattened prompt contents to grok.com through browser automation with no explicit consent flow, warning, or policy guard at this boundary. In a bridge skill that can route local AI workflows to external web providers, this increases the chance that sensitive local prompts, secrets, or proprietary data are exfiltrated to a third-party service without the operator clearly realizing it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The streaming path has the same core issue as the non-streaming path: it sends prompt data to grok.com without any visible user warning or consent mechanism. Because this skill is specifically designed to bridge local CLI interactions into authenticated web sessions, the contextual risk is higher: users may assume local handling while the code forwards content into a third-party browser session tied to their real account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists authenticated Grok session cookies in plaintext JSON under ~/.openclaw/grok-session.json without setting restrictive file permissions, encryption, or user-facing consent/warning. Anyone or any process with access to that file can reuse the session and impersonate the user on grok.com until the cookies expire or are revoked.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The session-management endpoints allow any local client to spawn sessions, write arbitrary input to them, kill them, and inspect their logs, but authentication is only enforced for /v1/chat/completions and not for these admin-style routes. Even though the server listens on 127.0.0.1, any untrusted local process or malicious webpage interacting with a local service could abuse this to control subprocess-backed sessions and interfere with ongoing work.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/chrome-check.ts:32

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/claude-auth.ts:234

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/cli-runner.ts:242

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/session-manager.ts:116

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
test/session-manager.test.ts:100

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
index.ts:31