ClawHub
Back to skill

Security audit

Council Brief

Security checks across malware telemetry and agentic risk

Overview

This skill is a real local LLM app installer, but it handles credentials and local processes broadly enough that users should review it before installing.

Install only if you trust the external llm-council repository and are comfortable letting it use your LLM credentials. Before running install, check whether ports 8001, 5173, or 4173 are running important services, and avoid storing sensitive prompts or secrets in questions unless you understand how the backend and model providers handle them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to execute shell scripts, but the manifest does not declare permissions or clearly scope those capabilities. In this context, the undocumented shell access is significant because the skill can install software, launch services, and alter the local environment, reducing informed user consent and bypassing least-privilege expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates several sensitive behaviors: reading credentials from local files, propagating those credentials into another application's .env, cloning external code, and killing processes on local ports. This is dangerous because users invoking a productivity/query skill may not expect credential handling, code execution from an external repository, or disruptive process termination, creating real risk of secret exposure and local system impact.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The installer reads sensitive local credential sources from the user's OpenClaw workspace and config in order to obtain API access tokens. Even if intended to streamline setup, accessing broader credential stores than the skill strictly needs expands trust boundaries and can expose or repurpose secrets without explicit user consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script enumerates any listener on fixed ports 8001, 5173, and 4173 and kills those processes, then escalates to kill -9 if they persist. This can terminate unrelated applications owned by the user, causing denial of service, possible data loss, and surprising interference outside the skill's scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The install flow states that it clones a repository, installs dependencies, and starts backend/frontend services, but the skill description does not present these as security-sensitive actions or warn about local execution and exposed ports. In a skill that looks like a simple LLM query helper, that omission increases the chance a user will trigger software installation and persistent background services without understanding the trust and attack surface implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation says credentials may be resolved from environment variables, a workspace .env, or gateway configuration, but it does not warn that secrets will be accessed and potentially reused by the installed application. That is dangerous because API keys and tokens are highly sensitive; silent discovery and propagation expands the exposure surface and may leak credentials into files, logs, or less-trusted components.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the user's question content to a backend service for processing without any explicit disclosure, confirmation, or warning at the point of transmission. In a skill context, prompts may contain secrets, proprietary data, or personal information, so silent transmission creates a real privacy and data-handling risk even though the destination is localhost.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer reads API credentials from local configuration and writes them into the cloned application's .env file without meaningful runtime disclosure or consent. This duplicates sensitive material into another location that may have weaker permissions, be accidentally committed, or be consumed by additional tooling in the repo.

Missing User Warnings

High
Confidence
99% confidence
Finding
Force-killing processes on hard-coded ports without user approval is an unsafe side effect for an installer, especially because it includes kill -9. In the context of an install/query/manage skill, this behavior is broader than necessary and can disrupt unrelated developer services or local applications.

Credential Access

High
Category
Privilege Escalation
Content
INSTALL_DIR="${HOME}/workspace/llm-council"
SKILL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PID_FILE="${SKILL_DIR}/pids"
WORKSPACE_ENV="${HOME}/.openclaw/workspace/.env"
OPENCLAW_CONFIG="${HOME}/.openclaw/openclaw.json"

# ── Arg parsing ───────────────────────────────────────────────────────────────
Confidence
78% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
#
# Priority order:
#   1. Environment: OPENROUTER_API_KEY (already exported)
#   2. Workspace .env: ~/.openclaw/workspace/.env
#   3. OpenClaw local gateway: ~/.openclaw/openclaw.json → gateway.auth.token
#      Uses http://127.0.0.1:<port>/v1/chat/completions as drop-in OpenAI API
#
Confidence
83% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
OPENCLAW_GATEWAY_TOKEN=""
OPENCLAW_GATEWAY_PORT=""

# Try workspace .env
if [[ -z "$OPENROUTER_API_KEY" && -f "$WORKSPACE_ENV" ]]; then
  OPENROUTER_API_KEY="$(grep -E '^OPENROUTER_API_KEY=' "$WORKSPACE_ENV" \
    | cut -d= -f2- | tr -d '"' | tr -d "'" | head -1 || true)"
Confidence
97% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
cd "$INSTALL_DIR"

# ── Write .env ────────────────────────────────────────────────────────────────
info "Writing .env..."
if [[ "$API_MODE" == "openclaw_gateway" ]]; then
  # Use local OpenClaw gateway — OpenAI-compatible endpoint, no external key needed
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
info "Writing .env..."
if [[ "$API_MODE" == "openclaw_gateway" ]]; then
  # Use local OpenClaw gateway — OpenAI-compatible endpoint, no external key needed
  cat > .env <<EOF
# OpenClaw local gateway — no external API key required
OPENROUTER_API_KEY=${OPENCLAW_GATEWAY_TOKEN}
OPENROUTER_API_URL=http://127.0.0.1:${OPENCLAW_GATEWAY_PORT}/v1/chat/completions
Confidence
98% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
EOF
  info ".env: OpenClaw gateway mode (http://127.0.0.1:${OPENCLAW_GATEWAY_PORT}/v1/chat/completions)"
else
  cat > .env <<EOF
OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
EOF
  info ".env: OpenRouter direct mode"
Confidence
97% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal