Back to skill

Security audit

openclaw-dashboard

Security checks across malware telemetry and agentic risk

Overview

This is a mostly disclosed OpenClaw admin dashboard, but it needs Review because it can execute agent tasks, modify/reset/update the workspace, and places the dashboard auth token into agent instructions.

Install only if you want a local OpenClaw administrative control plane, not a passive dashboard. Set a strong OPENCLAW_AUTH_TOKEN, keep it bound to localhost unless the tunnel/proxy is tightly controlled, avoid enabling mutating/config/provider-audit/key-loading flags casually, and treat task spawning as sensitive because dashboard credentials can enter agent context and logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises extensive access to environment variables, networked endpoints, local files, and shell-capable operations, but does not declare corresponding permissions. This creates a transparency and governance gap: operators and policy engines may trust the skill as lower-privilege than it really is, increasing the chance of unsafe deployment or overbroad execution in sensitive environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as a monitoring dashboard, but the content describes many high-risk mutating and administrative capabilities: file read/write, attachment handling, webhook-triggered task execution, backup/restore, self-update, restart/reload, config viewing, and provider/admin API access. This mismatch is dangerous because users may install or expose the skill expecting read-only observability, while actually enabling a broad remote administration surface that can modify state, access sensitive data, and trigger privileged operations.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The HTML and metadata describe a monitoring dashboard, but the page implements task management, task creation/deletion, task spawning, document editing, and operational controls. This scope expansion is dangerous because users or downstream systems may grant the skill broader trust/access than intended, enabling modification of workspace state under the guise of a read-only dashboard.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The UI exposes backup, restore, update, and restart actions, which are high-impact state-changing operations. In a dashboard context, this significantly increases the blast radius: if the page is exposed to an unintended user or a stolen token/session, an attacker could disrupt service or alter system state from the browser.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The dashboard can spawn tasks as sub-agents, which goes beyond passive monitoring into active execution. If misused, this can trigger autonomous actions, consume resources, or perform unintended operations from a UI that users may assume is observational only.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workspace file viewer/editor allows modification of files like MEMORY.md and other workspace content from within the dashboard. In context, this broadens the skill from monitoring into content tampering, which can change agent behavior, overwrite documentation, or persist malicious instructions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The dashboard exposes privileged operational endpoints for updating software, creating backups, pushing to git remotes, and performing hard git resets. Even with auth and some localhost gating, this greatly expands the blast radius of a monitoring service into code execution and destructive system administration, which is dangerous if the token is leaked, the dashboard is exposed, or another local process can access it.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The code runs local system commands such as pgrep and optionally systemctl restart from a dashboard process. While arguments are not shell-interpolated here, embedding service control inside a web server increases privilege and makes compromise of the dashboard materially more harmful.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The config endpoint reads and returns sensitive or secrets-adjacent files including openclaw.json, keys.env, and exec-approvals.json. Although some masking is attempted, regex masking is brittle and can miss secrets or expose enough metadata to aid credential abuse and environment reconnaissance.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The page is designed to display detailed host telemetry including top processes, hostname, platform, architecture, CPU model, Node.js version, memory, and disk mount. If this dashboard is reachable by unauthorized users or weakly protected, it materially increases reconnaissance value for attackers by exposing process inventory and infrastructure details that can be used for targeting and lateral movement.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README documents an option to load `~/.openclaw/keys.env` into the dashboard process but does not clearly explain that this imports provider API secrets into a long-running web-facing service. In the context of an operations dashboard that may expose diagnostic endpoints and remote access options, expanding the process environment with provider keys increases blast radius if the dashboard is compromised or logs/debug output leak environment data.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Task deletion uses a minimal generic confirmation ('Delete this task?') without clearly communicating irreversibility or consequences. In a UI with broad task and agent-management authority, weak confirmation increases the chance of accidental destructive actions and makes malicious click-driving easier.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Saving edited workspace files immediately overwrites content without a strong warning about behavioral or configuration impact. Because these files may influence agent memory or operation, accidental edits could materially alter system behavior or destroy important state.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The restore confirmation mentions overwriting current workspace changes but does not clearly communicate broader service, config, or behavioral consequences. Given the dashboard also exposes restart/update flows, restoring state may have significant operational impact beyond just file overwrite.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file write endpoint allows authenticated clients to overwrite markdown files in the workspace. Path restrictions reduce scope, but this still enables unauthorized content tampering, persistence, or prompt/instruction poisoning if the auth token or cookie is compromised.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The attachment routes allow authenticated upload and deletion of persisted files, and optional server-side file copy can ingest files from local paths when enabled. This creates a writable file surface that can be abused for tampering, storage abuse, or exposing locally generated sensitive artifacts if credentials are misused.

Missing User Warnings

High
Confidence
98% confidence
Finding
The backup restore endpoint performs a hard git reset to a prior auto-backup commit, which is destructive and can discard local changes. Exposing this via the dashboard makes rollback an HTTP-triggerable destructive operation rather than a deliberate admin action in a terminal.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
api-server.js:1748

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
api-server.js:11

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
api-server.js:669