ClawHub

Openclaw Pixel Agents Dashboard

Security checks across malware telemetry and agentic risk

Overview

The dashboard’s purpose is mostly coherent, but it exposes powerful unauthenticated controls that can restart services, change config, run updates, and use SSH if the server is reachable.

Install only in a trusted local environment. Bind it to localhost or put it behind strong authentication before use, disable remote agents and service controls unless needed, avoid password-based SSH, and review the generated config before exposing the dashboard on any network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises setup and runtime behavior that uses environment variables, network access, and shell execution, but the manifest text shown does not declare corresponding permissions or clearly warn about those capabilities. This creates a transparency and consent problem: users may run a dashboard skill expecting passive visualization while it performs active system and network operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as a visual dashboard, but the observed behavior includes config generation, service control, update execution, SSH access, and restart/termination actions. That mismatch is dangerous because it conceals powerful operational capabilities behind a benign-seeming description, increasing the chance an operator grants trust or runs it without understanding the system-level impact.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This server is described as a dashboard/visualization component, but it exposes unauthenticated endpoints that can restart services, start/stop arbitrary services, trigger software updates, and spawn or interact with agent sessions. If the dashboard is reachable by other users or network peers, an attacker could directly manipulate operational state, disrupt availability, or cause remote code/command execution through downstream service-control and update mechanisms.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This module provides remote service control over SSH, including use of passwords and private key paths, in a skill described as a pixel-art operations dashboard. It also builds shell commands by interpolating host, user, unit, and password values into strings passed to execSync, which expands the blast radius from simple monitoring to privileged remote command execution and creates command-injection and credential-exposure risk if configuration is compromised or influenced.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The unauthenticated `/api/setup/check-gateway` endpoint lets any remote user cause the server to make outbound requests to attacker-chosen URLs. This is effectively SSRF-style URL probing and can be used to scan internal services or cloud metadata endpoints from the dashboard host, which exceeds the intended setup/dashboard role.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `/api/setup/save` endpoint accepts arbitrary configuration data with no authentication, writes it to disk, and then terminates the process to trigger a restart. Any network-reachable attacker can reconfigure the service, potentially inject malicious endpoints or settings, deny service by forcing restarts, and take over subsequent dashboard behavior.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This code constructs an SSH command by interpolating `remote.password`, `remote.user`, `remote.host`, and the remote command directly into a shell string passed to `execSync`. If any of those configuration values are attacker-controlled or improperly validated, this enables command injection locally and grants powerful remote administration capability over configured agents.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This component is not merely visualizing state; it performs a privileged operational action by issuing a POST to `/api/restart/${gatewayId}` when a user confirms the alarm pull. In the context of a dashboard skill, embedding direct restart controls behind a stylized fire-alarm UI can increase the chance of accidental or unexpected service disruption, especially if authorization, audit logging, and explicit operator intent are not strongly enforced elsewhere.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation and presentation frame the feature as a playful 'fire alarm' widget, but the actual behavior restarts production gateways. That mismatch is dangerous because it obscures the true operational impact of the action, increasing the likelihood of operator confusion, accidental activation, and underestimation during review of what the skill can do.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions tell users to run an auto-discovery/config-generation shell script without warning that it may inspect the local system, probe the network, and modify configuration files. In a skill that also appears to manage agents and remote targets, undisclosed setup side effects materially raise the risk of unintended data exposure, environment changes, or execution in sensitive environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The module initiates undisclosed remote SSH access using stored credentials and disables host key checking, which materially increases operational and security risk in a dashboard context. Even if intended for telemetry, hidden remote access and weak SSH trust settings can enable credential misuse, man-in-the-middle interception, or unexpected lateral movement if configuration is compromised.

Missing User Warnings

High
Confidence
98% confidence
Finding
The SSH password is interpolated directly into a shell command for `sshpass`, exposing it to process listings, shell interpretation issues, logs, and accidental leakage. Because `remote.password`, `remote.user`, `remote.host`, and `cmd` are concatenated into a command string passed to `execSync`, this also amplifies command-injection risk if configuration is ever attacker-controlled or insufficiently validated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code executes local and remote service-control commands without any visible user warning, consent checkpoint, or disclosure at the point of dangerous action. In a dashboard-themed skill, hidden administrative actions increase the chance that users or integrators treat the component as passive visualization when it can actually alter system state across hosts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module reads remote authentication material from configuration and uses it to perform SSH operations, but there is no visible disclosure or protective handling in this file. Storing or passing passwords for sshpass is especially risky because credentials may leak through process arguments, logs, crash reports, or configuration exposure.

Missing User Warnings

High
Confidence
88% confidence
Finding
This function performs a remote `npm update -g openclaw` on another host, a privileged and system-changing operation, yet the file shows no authentication, authorization, confirmation, or safety checks around its execution. In a dashboard for live operations, exposing this capability without strong controls materially increases the risk of unauthorized remote changes and service disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script unconditionally overwrites dashboard.config.json using shell redirection, with no confirmation, backup, or existence check. This can destroy user-edited configuration and, because setup scripts are often run casually, creates a real integrity risk even though it does not directly enable code execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup script automatically runs npm install and npm run build, which execute package lifecycle scripts and project build code from the repository and its dependencies. Doing this without explicit upfront notice or opt-in increases the chance a user triggers unintended code execution during a supposedly configuration-oriented setup step.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal