ClawHub

PrivaClaw

Security checks across malware telemetry and agentic risk

Overview

PrivaClaw is a disclosed remote-control relay, but it gives a relay server powerful control over an OpenClaw node without enough local safeguards shown in the artifacts.

Install only if you fully trust the relay operator and can protect the auth token. Treat this as remote administration of your OpenClaw node: a compromised relay or token could run prompts, trigger workflows, read streamed responses/status, or restart the process. Prefer only wss:// relay URLs and avoid enabling it on sensitive nodes unless you have external controls such as workflow allowlists, relay-side authorization, auditing, and token rotation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The declared capability set goes beyond a passive 'outbound-only relay' by explicitly defining interfaces for remote prompt execution, workflow execution, and process restart. This creates a misleading trust boundary: operators may deploy the skill expecting transport-only behavior, while the runtime contract enables full remote control actions that could be abused if the relay channel or controller is compromised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A remotely invocable restart operation is a privileged control-plane action that can be used for denial of service, disruption of in-flight work, or to repeatedly cycle the process into unstable states. In the context of a skill marketed as a secure relay, this broad lifecycle control is more dangerous because users may not expect or harden against administrative actions being exposed through the relay path.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The client does more than maintain an outbound relay: it accepts server-originated commands and directly invokes sensitive runtime actions such as executePrompt, executeWorkflow, and restart. That makes the relay server a remote control plane, so compromise, misconfiguration, or abuse of the relay can lead to arbitrary remote task execution on the node.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The relay can trigger runtime.restart() remotely, which is a sensitive availability-impacting action unrelated to simple message relaying. If the relay endpoint or its credentials are abused, an attacker can repeatedly restart the service, causing denial of service and potentially interrupting running workflows at will.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The manifest explicitly advertises remote control, workflow triggering, health checks, and node restart capabilities, but provides no warning that these actions can affect service availability or execute sensitive operations on a deployed node. In a remote administration skill, omission of clear user-facing risk disclosure increases the chance of unsafe installation or misuse, especially because 'restart the node' is directly system-affecting.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The client sends the auth token in the initial hello message over whatever WebSocket URL is configured, and this file does not enforce secure transport or provide any user-visible warning about credential transmission. If relay_url is misconfigured to use insecure ws:// or points to an untrusted endpoint, the token can be exposed and then used to impersonate the node or issue remote commands through the relay.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal