ClawHub

JARVIS UI

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw dashboard, but it exposes powerful agent-control features and credentials through a web server with weak access-control guidance.

Install only if you intend to run an administrative OpenClaw control dashboard and can keep it local or behind strong access controls. Do not expose it to a LAN or the internet as configured, avoid allowInsecureAuth for remote use, protect the .env Gateway token, review /api/status before use, and update the flagged dependencies before any shared or long-running deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises and documents behavior that uses environment/config secrets and network connectivity, yet no permissions are declared. That creates a trust and review gap: users may install a UI skill expecting limited local rendering while it can access gateway tokens and communicate over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a significant description-behavior mismatch. The skill is presented as a dashboard UI, but the detected behavior includes identity/token persistence, reading and writing sensitive OpenClaw files, command execution, cron control, file upload handling, and speech-processing pipelines; these capabilities materially expand attack surface and user risk beyond a simple interface.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The route exposes a state-changing capability that enables or disables OpenClaw cron jobs from the web interface, which goes beyond a purely visual HUD/dashboard role. If this endpoint is reachable without strong authorization, an attacker or unintended user can alter agent scheduling and disrupt automation, persistence, or monitoring behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code invokes the external OpenClaw CLI from a web server context, giving HTTP routes indirect control over local scheduled-job state. Although execFile avoids shell injection, exposing privileged CLI operations through a dashboard increases the attack surface and can let remote users manipulate local agent behavior if access controls are weak or absent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The /status endpoint returns getSessionKey() directly to any caller, exposing an active session credential through a likely unauthenticated status API. If a frontend client, third-party script, or network observer can read this response, the session key may be reused to access or impersonate the active gateway session.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The setup script automatically reads a Gateway authentication token from the user's OpenClaw config and writes it into a project-local .env file without explicit consent. This increases credential exposure because local env files are commonly left world-readable on shared systems, accidentally committed, or consumed by other tooling, and the token belongs to a control interface for an agent dashboard.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs users to set `allowInsecureAuth: true` for remote access, which weakens the Gateway's authentication protections in a non-local context. Publishing this as a normal setup step without a strong warning or safer alternative can lead users to expose sensitive agent control and chat functionality over an insecure channel, increasing the risk of token theft or unauthorized access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation instructs users to enable `allowInsecureAuth` for non-localhost access, effectively normalizing a weaker authentication posture for remote exposure. In the context of a control UI connected to an agent gateway, this can enable unauthorized access, session hijacking, or remote control if the service is reachable by other machines.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The lack of user-facing disclosure is secondary; the core issue is that a session-linked secret is being exposed at all. Even in a dashboard context, surfacing a live session key without clear access controls or consent materially increases the chance of credential leakage and downstream account or session abuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code broadcasts host-level telemetry including CPU usage, memory usage, uptime, and process count to all connected clients, but there is no authentication, authorization, consent, or minimization visible in this file. In a web dashboard context, these metrics can expose operational details about the server environment and user activity patterns, which can aid reconnaissance or leak sensitive system state to unintended recipients.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
When the Edge TTS path is used, arbitrary text content is sent to the external `edge_tts` engine, which may involve third-party processing of potentially sensitive chat or agent output. In a dashboard/agent UI context, spoken text can easily contain secrets, system details, or user content, so lack of clear disclosure and consent creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script copies a gateway token from a user config file into .env without warning or confirmation, silently expanding where a sensitive credential is stored. In the context of a web UI that connects to a Gateway WebSocket and may be exposed remotely, this makes accidental disclosure or misuse of a control token materially more dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The drop handler immediately calls handleChatSend() after files are dropped, which can upload local files to /api/chat/upload without an explicit confirmation step. In a chat dashboard for agents, users may drag files onto the orb accidentally or misunderstand the action as a preview-only gesture, causing unintended disclosure of sensitive local content.

Missing User Warnings

Low
Confidence
82% confidence
Finding
speakText() posts assistant reply text to /api/tts whenever ttsEnabled is true, but this file shows no user-facing disclosure or consent flow for sending response content to a backend TTS service. If replies contain secrets, personal data, or model output from sensitive contexts, this creates an additional data-sharing path beyond normal chat display.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The component automatically encodes captured microphone audio and uploads it to /api/voice once speech ends, but this transmission is not accompanied by a clear just-in-time disclosure or confirmation at the point of sending. In a voice-enabled agent UI, this creates a meaningful privacy risk because users may not realize that spoken content is leaving the browser and being processed server-side, especially with automatic VAD-triggered recording.

Ssd 3

Medium
Confidence
97% confidence
Finding
The docs state that a gateway token is auto-detected from a local config file and, in the same section, advise enabling insecure remote authentication for non-localhost use. Together, this creates a plausible path where sensitive local credentials are consumed by a remotely exposed UI, increasing the chance of credential misuse or unauthorized gateway control.

Known Vulnerable Dependency: vite==7.3.1 — 3 advisory(ies): CVE-2026-39365 (Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling); CVE-2026-39363 (Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket); CVE-2026-39364 (Vite: `server.fs.deny` bypassed with queries)

High
Category
Supply Chain
Confidence
99% confidence
Finding
vite==7.3.1

Known Vulnerable Dependency: multer==2.0.2 — 3 advisory(ies): CVE-2026-3520 (Multer Vulnerable to Denial of Service via Uncontrolled Recursion); CVE-2026-2359 (Multer vulnerable to Denial of Service via resource exhaustion); CVE-2026-3304 (Multer vulnerable to Denial of Service via incomplete cleanup)

High
Category
Supply Chain
Confidence
98% confidence
Finding
multer==2.0.2

Known Vulnerable Dependency: ws==8.19.0 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low
Category
Supply Chain
Confidence
94% confidence
Finding
ws==8.19.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal