ClawHub

Avatar

Security checks across malware telemetry and agentic risk

Overview

This is a functional avatar skill, but it also grants and exposes broad business-tool and messaging capabilities that are not tightly scoped for a simple avatar frontend.

Install only if you intend this avatar to operate as a high-trust local OpenClaw operator, not just a visual/TTS frontend. Use restricted API keys and Slack scopes, avoid sensitive conversations unless external sharing is acceptable, and review or disable Slack, email, Stream Deck, kiosk mode, and broad business-tool prompts before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The HTML exposes a dedicated 'Send to Slack DM' control even though the stated skill purpose is only avatar rendering and TTS. That indicates scope expansion into external message delivery, which can enable unintended data exfiltration or user action routing to Slack if wired up elsewhere, especially because the button is merely hidden with CSS rather than removed.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The client implements outbound Slack and email actions even though the declared skill purpose is avatar rendering with Simli and TTS. Hidden or undocumented communication features expand the trust boundary and can be abused to exfiltrate AI-generated or user-derived content to third-party systems without users expecting those capabilities.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The Stream Deck EventSource channel allows remote control actions such as query submission, speaking, muting, interruption, and sending content, but this integration is not reflected in the stated skill purpose. Undocumented remote-control surfaces are risky because they permit external triggering of sensitive actions and reduce operator awareness of what can control the client.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A single click sends generated detail text to Slack through /api/send-slack, which is outside the narrow rendering/TTS role described for the skill. This creates an exfiltration path for potentially sensitive generated summaries or user-derived content, especially because the text is populated from backend responses and stored in a DOM dataset for reuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client can trigger /api/send-email based on remote Stream Deck events using the generated detail text, despite email not being justified by the skill's stated purpose. This enables silent forwarding of potentially sensitive content to email channels and is more concerning because it can be remotely triggered rather than only manually clicked.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
`getClientConfig` is explicitly documented as returning configuration with 'no secrets', but it includes `config.secrets.simliApiKey`. If this object is sent to browsers or other untrusted clients, the API key is exposed and can be reused to access the Simli service, consume quota, or impersonate the application. In an avatar/voice-rendering skill that likely connects to third-party APIs from a frontend, this makes abuse more plausible and increases risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This avatar skill includes capabilities well beyond interactive avatar rendering and TTS: it can send Slack DMs, send emails, and post/resolve Slack alerts. That expands the trust boundary from presentation-only behavior into external communications and workflow actions, creating a materially larger abuse surface if the server or agent is prompted or invoked unexpectedly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The chat prompt explicitly tells the agent it has full access to HubSpot, Gmail, Calendar, Notion, and Slack, which is disproportionate to an avatar/TTS skill. In this context, broad tool access raises the risk of prompt injection, unintended data access, and unauthorized actions across multiple business systems from a seemingly simple avatar interface.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The code comments that the client config endpoint is safe to expose while acknowledging it may include a secret-like Simli key. Treating secret-bearing config as safe can lead to credential exposure to any client that can reach the endpoint, enabling misuse of third-party services or quota theft.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The Stream Deck integration exposes actions like checking email/calendar, HubSpot, Notion, Slack, customer health, deal pipeline, churn risk, and sending Slack/email messages, which are materially broader than an 'interactive AI avatar with Simli video rendering and ElevenLabs TTS'. This creates hidden operational capability and expands the attack surface: any component wired to the button callback can trigger business workflows and access enterprise data through a UI that appears avatar-focused.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implementation includes broad operational controls and integrations that are not reflected in the stated skill description, including monitoring business systems and triggering follow-up, drafting, Slack, and email actions. This mismatch can mislead deployers and reviewers about the real capabilities of the skill, undermining informed consent, least privilege, and security review of connected systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises forwarding responses to Slack DMs or email without any warning about privacy, consent, or what data may be transmitted to third parties. In context, the avatar may handle conversational or potentially sensitive agent output, so silent forwarding can leak private or regulated information outside the local session.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Speech recognition transcripts are automatically funneled into handleSend(), which sends them to backend chat and TTS endpoints, but this file shows no clear disclosure, consent prompt, or review step before transmission. Voice input often contains incidental sensitive data, so automatic backend submission increases privacy risk beyond normal UI text entry.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
One-click sharing to Slack occurs without a confirmation dialog, content review workflow, or visible warning that generated detail text will leave the application. Low-friction outbound sharing increases the chance of accidental disclosure of confidential or incorrect AI-generated content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This file returns an API key in a client-facing configuration object without any indication that it is intended to be public or safely scoped. Even if the key were meant for frontend use, failing to document or enforce that assumption encourages accidental exposure of privileged credentials and makes security review harder. Given the surrounding code stores it under `secrets`, the inclusion strongly suggests unintended disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The server exposes an API that forwards caller-provided text into Slack DM sending via the agent, with no authentication, authorization, or confirmation shown in this file. That can be abused to send arbitrary messages to configured targets, enabling spam, impersonation, or social engineering through trusted internal channels.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `/api/send-email` endpoint takes caller-supplied text and triggers email sending through the agent without any visible access control. An attacker who can reach this endpoint could send arbitrary outbound email from a trusted context, creating phishing, spam, or data exfiltration risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal