PrivaClaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who controls the relay channel or obtains the relay token could make the node run prompts, trigger workflows the runtime accepts, or restart OpenClaw.
Relay-supplied messages are dispatched directly to prompt execution, workflow execution, and process restart. The artifacts do not show local confirmation, workflow allowlisting, or per-command authorization beyond the relay session.
await this.runtime.executePrompt(prompt, ...); ... await this.runtime.restart(); ... await this.runtime.executeWorkflow(workflowId, params);
Use this only with a highly trusted relay, add workflow allowlists and per-command approval for high-impact actions, and make remote restart/trigger permissions separately revocable.
If configured with an http:// or ws:// relay, the control token and remote-control traffic may be observable or alterable on the network.
The configuration normalizes http:// to unencrypted ws:// instead of rejecting it. Because the AUTH_TOKEN is the primary credential for remote node control and is sent during connection setup, insecure transport could expose that credential and the relay traffic.
url = url.replace(/^http:\/\//, "ws://");
Reject ws:// except possibly for explicit localhost development, require wss:// for production, and rotate AUTH_TOKEN if it was ever used over non-TLS transport.
A user may install or configure the skill under the mistaken belief that all relay traffic is always TLS-protected.
This safety assurance is stronger than the implementation: config.ts explicitly allows http:// to become ws://. Users may believe encryption is enforced when it is not.
TLS encrypted — all WebSocket connections use `wss://` (TLS 1.2+)
Update the code to enforce wss:// or revise the documentation to clearly warn when non-TLS relay URLs are allowed.
The relay operator or a compromised relay could observe or influence remote-control interactions.
The external relay is central to the skill and this data flow is disclosed, but it is still a sensitive trust boundary because prompts, responses, and health metadata pass through the relay.
Prompt content and response tokens are transmitted through this relay in real time. Only install this skill if you trust the operator of the relay server.
Use a relay you control or strongly trust, avoid sending secrets through remote prompts, and monitor relay access logs where available.
The node will keep trying to remain reachable through the relay, which may be unexpected on machines where remote access should be temporary.
The client maintains a persistent background relay connection with heartbeats and automatic reconnection. This is disclosed and purpose-aligned, but it means remote-control availability persists while the skill is enabled.
setTimeout(() => this.openSocket(), this.backoff); ... this.heartbeatTimer = setInterval(() => { this.send({ type: "heartbeat", data: this.buildHeartbeat() }); }, HEARTBEAT_INTERVAL);Provide a clear disable switch, verify shutdown stops reconnect attempts, and enable the skill only on nodes intended for ongoing remote access.
It may be harder to confirm that the installed artifact matches the intended upstream release.
The registry source is unknown, while included package files report version 1.0.1. This is not evidence of malicious behavior, but provenance/version mismatch matters for a remote-control skill.
Source: unknown; Version: 1.0.4
Verify the package against the project repository or a pinned commit before installing, especially on production or headless nodes.