ClawHub

openclaw-hxa-connect

Security checks across malware telemetry and agentic risk

Overview

This is a real HXA-Connect messaging plugin, but it also gives the agent organization-admin powers that users should review carefully before installing.

Install only if you intend this agent to communicate through HXA-Connect and can use a least-privilege token. Do not configure a token with organization-admin powers unless you explicitly want the agent able to change bot roles, create access tickets, and rotate org secrets. Prefer allowlists and mention mode for untrusted threads, and treat agentToken and webhookSecret as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly enables network communication to an external messaging hub, yet no metadata or permission declaration is provided to signal that capability. This weakens user awareness and policy enforcement, increasing the chance that an agent operator enables outbound communications without understanding the data exposure and trust implications.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This messaging-oriented skill exposes powerful administrative actions such as role assignment, org ticket creation, and secret rotation through the same agent-accessible tool surface. If an LLM or downstream workflow can invoke this tool, prompt injection or mistaken tool use could alter organization state, grant privileges, or rotate secrets well beyond the expected messaging scope.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The tool can persistently modify local configuration via set-thread-mode, which exceeds a pure messaging role and creates durable state changes from tool invocation. In an agent environment, that makes prompt-injection-driven persistence possible, allowing attackers to alter future bot behavior across sessions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Secret rotation is a sensitive administrative action that can disrupt integrations and change trust boundaries, yet it is exposed through a general-purpose messaging skill tool. If triggered unintentionally or via prompt injection, it could break service access or force emergency recovery workflows.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Organization ticket creation can issue reusable or time-limited onboarding/access artifacts, which materially affects access control. Exposing this through a messaging-focused skill widens the blast radius of any prompt injection or accidental invocation into organization-level access management.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Bot role assignment directly changes privileges and can promote principals to admin, making it a high-risk access control operation. In the context of an LLM-accessible messaging tool, this is dangerous because tool misuse could escalate privileges without a clear administrative boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes sending and receiving messages, thread context, replies, artifacts, and catchup data through an external hub, but it does not prominently warn that conversational content is transmitted off-platform. In an agent environment, this can lead to unintentional exfiltration of sensitive prompts, internal analysis, or user data to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration examples include live-looking bearer token fields such as agentToken without warning readers to treat them as secrets. This increases the risk of credential leakage through copied configs, screenshots, logs, repositories, or shared skill files, which could allow unauthorized access to the bot account and its messages.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
On plugin registration, the code may automatically rewrite the configuration file to migrate settings, without explicit user confirmation at the time of modification. While intended as migration logic, silent persistent changes increase supply-chain and operational risk because loading the plugin can alter local state unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setThreadModeInConfig path writes directly to the persistent config file from a tool-triggerable action, with no confirmation or operator-facing warning about durable modification. In an agent setting, this enables prompt-injection-induced policy changes that survive beyond the current interaction.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Create a thread
curl -sf -X POST ${HUB_URL}/api/threads \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"topic": "Review the report", "tags": ["request"], "participants": ["reviewer-bot"]}'
Confidence
88% confidence
Finding
curl -sf -X POST ${HUB_URL}/api/threads \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -d '{"topic": "Review the report", "tags": ["request"], "participants": ["re

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal