ClawHub
Back to skill

Security audit

OpenClaw Mobile Gateway Installer

Security checks across malware telemetry and agentic risk

Overview

This appears to install a real OpenClaw mobile gateway, but the installed service exposes a broad administrative API and sensitive controls that are not fully disclosed by the installer description.

Install only if you intend to run a network-accessible OpenClaw mobile admin gateway on this host. Restrict port 4800 with firewall or reverse-proxy authentication, review who can call the API, protect or rotate any token stored in /etc/openclaw-mobile-gateway/env, inspect the OpenClaw config paths it can read/write, and do not run uninstall.sh with a custom INSTALL_DIR unless you have verified the path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises shell, environment-variable, and network-driven installation behavior but declares no permissions, which prevents users and policy systems from understanding the true execution scope before invocation. For an installer that deploys a system service, hidden capabilities materially increase the chance of unintended privileged actions, remote fetches, or credential use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose says the skill only installs and manages a gateway service, but the observed behavior includes a much broader admin surface: configuration mutation, credential-affecting quick actions, file management, chat/session APIs, policy updates, and execution of management operations. This mismatch is dangerous because users may authorize what they believe is a simple installer while actually exposing or deploying a powerful administrative control plane.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file exposes a very broad administrative surface including chat proxying, assistant sessions, memory/file manipulation, routing, healing, service control, upgrades, and system restart, which substantially exceeds the declared purpose of a gateway installer/service manager. In a skill context, this kind of scope expansion is dangerous because it creates unexpected high-privilege capabilities that a user may invoke under the assumption they are only installing or managing the mobile gateway.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
These endpoints proxy chat traffic to OpenClaw targets and expose conversational functionality unrelated to installing or managing the gateway service. That mismatch is risky because it enables data handling and outbound communication beyond the stated skill purpose, increasing the chance of unauthorized use, data leakage, or operator deception.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The memory file and markdown management endpoints allow arbitrary application content/state changes that are not necessary for a gateway installer. In this context, hidden content-management capabilities are dangerous because they let the skill modify persistent data and files under a misleading administrative label.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Installing and uninstalling arbitrary skills is outside the advertised scope of managing the mobile gateway service. This is dangerous because a gateway installer that can also change the platform's skill set may become a privilege-escalation point for loading additional functionality not expected by users or reviewers.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Endpoints for security configuration, healing actions, routing changes, panel settings, service control, and system operations collectively grant extensive control far beyond simple gateway installation/management. In a mislabeled skill, this breadth materially increases risk because it can alter protections, traffic flow, and service behavior in ways users may not anticipate.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements far more than gateway install/lifecycle management: it handles chat proxying, model/channel secret management, assistant sessions, memory files, routing, heal actions, and app update policy. For a skill advertised as a one-command mobile gateway installer/service manager, this scope expansion materially increases attack surface and gives the skill unnecessary access to sensitive configuration, network egress, and operational controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code sends user messages to arbitrary configured OpenClaw targets via HTTP(S), including optional auth headers, extra headers, and gateway tokens. In an installer/service-management skill, this is unjustified network exfiltration capability and could route sensitive prompts, tokens, or internal data to attacker-controlled endpoints if target configuration is tampered with.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill persists and manages unrelated runtime data including assistant sessions, memory files, markdown content, routing strategies, healing actions, and app update settings. This broad state-management role is outside installer scope and increases the chance that a compromise of this skill exposes user content, operational state, and administrative controls beyond the gateway service itself.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The quick action generates a gateway auth token, writes auth settings through the CLI, and returns the token in the API response. Returning freshly generated credentials to callers greatly increases exposure risk through logs, client storage, or unauthorized callers, and this is beyond normal installer scope.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill performs generalized local command execution for dependency discovery and usage reporting using external binaries such as node, npm, which, and openclaw. While arguments are mostly fixed here, this still grants the skill broader execution capability than required for a simple installer/service manager and can increase host interaction and trust surface.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements a broad in-memory AI/backend control plane, including model catalogs, routing strategies, assistant sessions, messaging, update policy, and remote OpenClaw targets, which is materially outside the declared scope of a mobile gateway installer. That scope mismatch increases the attack surface and suggests the skill can manage or proxy LLM traffic and runtime state beyond simple service installation, making misuse or hidden remote-control behavior more dangerous in this installer context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The embedded model-routing, fallback chains, assistant messaging, approvals, and chat session storage create a general-purpose LLM orchestration capability that is not justified by an installer skill. In the context of a system-service installer, this is dangerous because a user may grant elevated trust expecting deployment behavior while the code also enables broader AI communications and remote interactions that could be abused for persistence, data flow, or command mediation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes one-command installation, auto-start, upgrade, and uninstall of a system service without clearly warning that it will modify systemd state, persist services across reboots, and potentially alter host directories. In a deployment context, omission of these side effects can lead to unauthorized persistence or accidental system changes by users who did not understand the operational impact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Providing the uninstall command without any caution encourages destructive execution without informing the user that the service and associated directories may be removed. That creates a real risk of accidental data loss, service interruption, or incomplete recovery if users run the command assuming it is a harmless deregistration step.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code writes the OpenClaw runtime configuration file directly to disk with no visible confirmation, warning, backup, or integrity protection. Silent mutation of a sensitive config file can change credentials, endpoints, or behavior in ways users do not expect, increasing risk of misconfiguration and covert persistence.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code transmits chat content and related metadata to remote endpoints without any in-code indication of user disclosure or consent. Because the skill is framed as an installer/service manager, users may not expect their messages to be forwarded off-host, making the data flow more dangerous in context.

Missing User Warnings

High
Confidence
98% confidence
Finding
Model API keys are persisted into the OpenClaw config file in plaintext through normal update flows. Storing long-lived provider credentials on disk without secure storage controls or strong disclosure creates a high-value target for local compromise, backup leakage, or accidental exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
Channel secrets such as app secrets are written to persistent configuration with no visible security prompt or secret-handling safeguards. These credentials can enable unauthorized messaging platform access if leaked, and the installer context does not justify silently persisting them.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Arbitrary memory file content is written to disk without disclosure, classification, or retention controls. If users or upstream components place sensitive prompts, notes, or credentials in these files, the installer skill becomes an unannounced persistence layer for potentially sensitive data.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The code deletes files without any visible confirmation or preview of what will be removed. Even though path components are sanitized, silent deletion can still cause data loss and is risky behavior for a skill whose stated purpose is service installation and management.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The service-control helper invokes systemctl and falls back to passwordless sudo without any explicit user-facing warning about privilege use or service impact. Hidden privilege escalation attempts are dangerous because they can alter system state unexpectedly and may normalize elevated execution in a broadly scoped skill.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill can start, stop, and restart the system service directly, with no confirmation or secondary authorization visible in this code. For a system service, such actions can cause denial of service, interrupt active traffic, or be abused by unintended callers to manipulate host operations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The quick action modifies gateway authentication mode and token via subprocess calls with no user warning and then exposes the generated token. This can silently change access control for the gateway and create credential leakage in one step, making it particularly risky in an installer-branded skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
backend/src/services.ts:1150

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
backend/src/services.ts:16

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
backend/src/services.ts:412