ClawHub

Command Center 1.4.1

Security checks across malware telemetry and agentic risk

Overview

This dashboard is not clearly malicious, but it exposes sensitive agent data and operational controls with defaults and documentation that do not fully match its authority.

Treat this as an admin console, not a passive dashboard. Install only if you are comfortable with it reading session transcripts and workspace metadata, deriving operator identities, writing local dashboard/topic state, and controlling OpenClaw jobs. Run it only on a trusted machine, explicitly bind or firewall it to localhost, enable strong authentication before any LAN/VPN/public/tunnel exposure, and review optional setup, dependency, tunnel, and Linear sync scripts before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no permissions while its documented install/start flow and detected capabilities include shell execution, environment access, and network activity. This creates a transparency and trust problem: users may install or run a skill without understanding that it can execute local commands and expose services, which is especially risky for a dashboard handling workspace-wide data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The published description frames the skill as a passive monitoring dashboard, but the detected behavior includes state-changing operations such as job control, file modifications, settings persistence, data migration, dependency installation, shell-based server management, and external API synchronization. This mismatch is dangerous because users may grant trust or deploy the skill assuming read-only observability, when it can actually alter local state, affect scheduled jobs, and send data to third parties.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The dashboard exposes control-plane job operations such as run, pause, resume, skip, kill, and cache clear over HTTP, which goes beyond passive monitoring. If the dashboard is reachable without strong authentication, an attacker or unauthorized user could directly disrupt or manipulate automation workflows.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The Cerebro topic status endpoint modifies topic.md files on disk even though the skill is presented primarily as a monitoring/viewing dashboard. This expands the trust boundary from observation to content mutation, creating risk of unauthorized or accidental changes to operational knowledge files.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The utility layer runs arbitrary shell commands through child_process.exec, which invokes a shell and increases exposure to command injection if any command string becomes influenced by configuration, request data, or untrusted file contents. In a dashboard context, broad subprocess execution is especially dangerous because the process also has access to local environment variables and filesystem data.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code parses session transcripts to extract operator identities from Slack, Telegram, and Discord and persists operator metadata. This creates a privacy and data-minimization issue because a monitoring dashboard is aggregating identifiable user data across sources, increasing sensitivity if the dashboard or stored files are exposed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The dashboard is described as a monitoring and visibility skill, but the UI exposes state-changing administrative actions such as health checks, gateway status operations, stale-session pruning, and topic status mutation via API calls. In an agent-skill context, blending read-only observability with write/admin capabilities expands the attack surface and can let a user or compromised frontend trigger operational changes that were not expected from a dashboard.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The UI tells users privacy settings are stored in the browser only, but the script later loads and saves them through /api/privacy on the server. This deceptive behavior can cause users to disclose sensitive hidden topics, sessions, and cron names under a false privacy assumption, which is especially risky in a dashboard handling operational and conversation metadata.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script reads install commands from a JSON file and executes them directly with execSync, giving the skill host-level package installation and arbitrary command execution capability. Even if intended for convenience, this is dangerous because a compromised or modified dependency file can run attacker-controlled shell commands on the user's system.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
A monitoring/dashboard skill should not need to detect package managers and install host packages at runtime; this materially expands privilege and attack surface beyond the stated skill purpose. In this context, the mismatch between declared functionality and host modification behavior makes the capability more dangerous because users may not expect the skill to alter system state or invoke privileged package-management operations.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script goes beyond passive dashboard monitoring and actively mutates external Linear tickets by changing issue state and adding comments based on session activity. That creates a real integrity risk: merely viewing or syncing dashboard data can alter third-party workflow state, potentially disrupting project tracking or causing unauthorized business actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code unconditionally authorizes any request whose peer address appears to be localhost, bypassing every configured authentication mode. If the service is exposed through a local reverse proxy, SSRF primitive, container/namespace networking path, or other local-to-local hop, an attacker may reach privileged dashboard functionality without credentials. Given this dashboard exposes real-time sessions, LLM usage, costs, and system vitals, unauthorized local access can disclose sensitive operational data and potentially enable broader control-plane abuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This server is described as a monitoring dashboard, but it exposes multiple authenticated mutation endpoints that change persistent state, including topic status, operators, and privacy settings. That expands the attack surface from read-only observability to administrative control; if authentication is weak, misconfigured, or bypassed elsewhere, an attacker could modify operational data through the dashboard.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The /api/action endpoint accepts a generic action parameter and passes it into executeAction, which is broader than the stated dashboard purpose and may trigger backend operations through runOpenClaw. A generic action dispatcher is dangerous because small authorization or input-validation mistakes can become arbitrary privileged behavior, making this endpoint a high-value target.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code continuously scans session transcript files, extracts user identifiers from message content, and persists them into an operators database. That is a real privacy and scope-expansion issue because it creates a durable identity mapping from conversational data without clear necessity, minimization, or consent, increasing the risk of unauthorized profiling and secondary use of user data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code parses Slack, Telegram, and Discord identifiers and usernames from free-form conversation content, effectively performing cross-platform identity extraction. This is dangerous because it broadens the sensitivity of collected data beyond routine dashboard telemetry and can enable correlation of users across systems even when they did not intentionally provide that linkage for persistent storage.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The dashboard reads live transcripts and extracts task summaries and labels from user messages, which exposes conversation content beyond simple operational metadata. For a monitoring skill, this creates a privacy and data-minimization issue: sensitive prompts, issue IDs, or internal task details may be surfaced to viewers of the dashboard without clear need or authorization checks in this code.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This utility exposes a generic shell-command execution primitive via `exec`, which is highly dangerous if any caller can influence `cmd`. In a monitoring dashboard skill, broad command execution is not clearly required and substantially increases the risk of command injection, arbitrary code execution, and unauthorized system inspection if upstream inputs are ever passed through.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The vitals collector executes extra local programs outside the app itself, including a user-home binary (`~/bin/osx-cpu-temp`) and a privileged hardware probe path. Even though inputs are not attacker-controlled here, invoking user-home executables and elevated tooling from a monitoring dashboard expands the trust boundary and can execute unexpected code if those binaries are replaced or maliciously planted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises visibility into memory files, session details, operator activity, and live REST/SSE endpoints, while also documenting weak or disabled authentication modes such as `none`. That combination can lead users to expose highly sensitive workspace and conversation data without a prominent warning that the dashboard is effectively a data exfiltration surface if bound beyond localhost or deployed with weak auth.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill advertises session monitoring, unified dashboard state, cost tracking, and conversation/topic visibility without an explicit warning that these views may expose sensitive prompts, metadata, operational details, or private workspace information. In a multi-agent or demo setting, this increases the chance of unintended disclosure to anyone who can access the dashboard.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly presents remote, VPN, and public deployment modes, but does not clearly warn users to enforce strong authentication, TLS, network restrictions, and least-privilege exposure. For a dashboard that serves unified state and live events, insecure remote deployment could expose sensitive operational data or administrative controls to unauthorized users.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The example configuration sets auth.mode to "none", which disables authentication for a dashboard that exposes session monitoring, usage tracking, health data, and potentially sensitive workspace/state information. Even though the sample binds to localhost by default, example configs are frequently copied into production-like setups, and without explicit guidance about when unauthenticated mode is safe, this can lead to unintended exposure if the host binding, proxying, port forwarding, or container networking changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Hidden topics, sessions, and cron identifiers are fetched from and persisted to the server without a user-facing warning that these supposedly local privacy choices are sent off-browser. Because these values may themselves reveal sensitive project names, incidents, or operator activity, silently transmitting them undermines privacy and can leak metadata to backend logs or other authorized viewers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When the --tunnel option is used, the script publishes a locally bound dashboard through a Cloudflare tunnel with no explicit warning, confirmation step, or visible discussion of authentication requirements. In the context of a command-center dashboard that monitors agent sessions, usage, costs, and system vitals, exposing the interface externally can unintentionally make sensitive operational data reachable from the internet if the dashboard itself lacks strong access controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal