ClawHub

Claw Body

Security checks across malware telemetry and agentic risk

Overview

This avatar and presentation skill is mostly purpose-aligned, but its local server exposes broad unauthenticated APIs that can use credentials, the local agent, uploaded files, and presentation parsing while it is running.

Review before installing. Use this only if you trust NuwaAI with microphone audio and trust this local server to proxy requests to your OpenClaw agent. Run it only when needed, avoid using high-value NuwaAI credentials, do not upload confidential presentations unless you are comfortable with their contents being processed for narration, and close the server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The UI adds PPT/PDF upload and presentation parsing features that materially expand the skill's data-handling scope beyond a simple avatar/chat interface. This increases attack surface because users may upload sensitive local documents without a clear expectation from the skill description that files will be transmitted to backend parsing endpoints.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The page is not only an avatar frontend; it also sends user prompts to a separate backend via /api/chat/stream, which is broader behavior than the manifest suggests. That mismatch is security-relevant because users may believe they are interacting only with the avatar provider while their messages are also routed to another service with different data handling and trust boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states that user voice is sent to NuwaAI for ASR, but it does not present this as a clear privacy warning or obtain explicit informed consent before microphone audio is transmitted to a third party. Because the skill handles real-time voice/video interaction and encourages users to sign up for an external service, users may unknowingly disclose sensitive spoken information to NuwaAI under assumptions that processing is local or only within OpenClaw.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Microphone capture is started automatically when the Nuwa WebSocket opens, rather than only after a fresh user action at the moment of recording. Even though browser permissions still apply, auto-start after connection can surprise users and lead to unintended audio transmission to the remote service once permission has been granted.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The page collects API key, avatar ID, and user ID and posts them to /api/config without an explicit notice describing storage, transmission, or retention. Because API keys are sensitive credentials, silently forwarding them to a backend can cause credential exposure or misuse if the server is compromised or behaves unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The server stores the user's Nuwa API key in plaintext in a local JSON file without any consent prompt, warning, or file permission hardening. On multi-user systems or in compromised environments, local attackers or other software could recover the key and use it to impersonate the user against the Nuwa service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Presentation contents are bundled into a prompt and sent to the OpenClaw gateway for narration generation, which may forward them to an LLM service. This can expose confidential slide text, speaker notes, or business data without clear user awareness or an explicit opt-in tied to upload/parse operations.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal