ClawHub

Web Gateway

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local OpenClaw web chat gateway, but it needs Review because it can silently persist sensitive household/location details and exposes unauthenticated state-changing endpoints when run.

Install only if you intend to run a local household chat gateway that stores memory. Bind it to localhost or put it behind authentication, review and periodically delete the memory/state files, avoid entering sensitive home/work/address details unless you want them retained, use a restricted Google Maps browser key, and pin/audit dependencies before exposing the service beyond a trusted machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The chat route persistently stores user facts and free-form notes in `MemoryStore` without any visible consent flow, retention policy, or stated necessity. Because the stored content includes personal profile details and can later influence responses, this creates a real privacy and data-minimization risk even if the feature appears product-motivated rather than malicious.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The route-generation logic resolves destinations from persistent memory fields such as `home`, `address`, and `work`, then returns actionable navigation data. Using stored sensitive location data to generate routes increases exposure of highly sensitive whereabouts and can disclose or operationalize home/work addresses beyond the user's immediate expectation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template injects `googleMapsEmbedApiKey` into `window.GATEWAY_CONFIG`, making the key visible to every browser user and any script running in the page. Even if this is an embed-only or referrer-restricted key, exposing it client-side can enable unauthorized reuse, quota theft, billing abuse, or easier reconnaissance of integrated third-party services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When messages begin with phrases like 'remember that', the application immediately writes structured facts or notes to persistent storage and only responds after the write has happened. There is no prior warning, preview, or confirmation step, so users may disclose personal information believing they are chatting transiently when they are actually creating durable records.

Missing User Warnings

High
Confidence
99% confidence
Finding
The application automatically memorizes certain user statements in the background based on pattern matching, without any user-facing disclosure or consent. This is especially risky in a chat context because users may unknowingly create long-lived records of personal preferences, activities, work, or home information, which can later be surfaced or repurposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The POST /api/state endpoint accepts arbitrary JSON from the client and writes it directly via save_state() with no authentication, authorization, validation, or CSRF protection visible in this file. That means any party able to reach the endpoint can overwrite application state, potentially causing unauthorized configuration changes, denial of service, or persistent tampering depending on how the stored state is used elsewhere.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=3.0.0
requests>=2.31.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
Flask>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=3.0.0
requests>=2.31.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Flask>=3.0.0
requests>=2.31.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: Flask — 8 advisory(ies): CVE-2025-47278 (Flask uses fallback key instead of current signing key); CVE-2018-1000656 (Flask is vulnerable to Denial of Service via incorrect encoding of JSON data); CVE-2019-1010083 (Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory u) +5 more

High
Category
Supply Chain
Confidence
82% confidence
Finding
Flask

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
67% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal