ClawHub

Openclaw Command Center

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate dashboard, but it exposes sensitive agent data and operational controls with under-scoped default access protections.

Install only if you intend to run a local admin dashboard for OpenClaw. Use token, Tailscale, or Cloudflare Access, bind it explicitly to localhost or a trusted interface, avoid public tunnels unless you add strong access controls, and treat the Operators, Memory, Sessions, Jobs, and Cerebro views as sensitive operational data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises and launches a Node.js server with environment, network, and shell capabilities but does not declare permissions. That creates a transparency and trust problem: users and tooling cannot accurately assess the runtime access the skill needs, and the shell-based install/start path increases the chance of unexpected command execution or network exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents the skill as a read-oriented monitoring dashboard, but the described behavior includes control-plane and state-changing actions such as job control, operational actions, privacy setting changes, record updates, dependency installation, tunnel management, and external synchronization. This mismatch is dangerous because users may grant trust assuming passive observability while the skill can perform administrative actions and interact with external systems.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The server exposes state-changing job control endpoints (`run`, `pause`, `resume`, `skip`, `kill`, cache clear) and a Cerebro topic status write path over HTTP. In a dashboard skill, these are materially more dangerous than read-only monitoring because any auth bypass, misconfiguration, or localhost exposure enables operational tampering and disruption of agent workflows.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code mines session transcripts to extract Slack, Telegram, and Discord identities and persists them to `operators.json`, creating a derived directory of users without explicit consent or minimization. This increases privacy risk and broadens the blast radius if the dashboard or its data directory is exposed, since transcript content is being repurposed into structured identity metadata.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This dashboard is not purely passive: it exposes management actions such as health checks, gateway status queries, stale-session pruning, and topic state changes via fetch calls to action endpoints. In an agent-skill context, expanding from monitoring into operational control increases the attack surface and can enable unauthorized state changes or command execution if the backend lacks strong authorization and CSRF protections.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The UI includes an Operators section with role labels and per-user stats, which goes beyond the stated purpose of session monitoring and exposes user-management-adjacent data. Even if it is read-only in this file, surfacing operator identities, roles, and activity can leak sensitive organizational information and often correlates with privileged backend APIs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This script gives the skill the ability to install packages and modify the host system, which expands its privileges beyond passive dashboard/monitoring behavior. It also executes install commands sourced from a JSON config via Node's child_process, so if that config or package mapping is altered, the script can run arbitrary system-level commands under the user's privileges.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The module goes beyond passive dashboard monitoring and actively mutates external Linear issues by changing states and posting comments based on local session activity. That creates an integrity risk: merely viewing or syncing session state can trigger unintended changes in a third-party system, which is security-relevant because it expands the skill's authority and side effects beyond the stated monitoring scope.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script can intentionally expose the dashboard to the public internet via a Cloudflare tunnel, which expands access beyond a local-only monitoring tool. Even though this requires the explicit --tunnel flag, exposing an operational dashboard without built-in authentication or strong exposure warnings can enable unauthorized access if the dashboard itself is not hardened.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Launching cloudflared tunnel --url http://localhost:$PORT creates an externally reachable path to a local service, which is risky for a dashboard that appears intended for local monitoring. If the underlying server lacks authentication, CSRF protection, or sensitive-data filtering, remote users could view system state, agent activity, or other operational details.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The authentication check unconditionally authorizes requests from localhost before enforcing the configured auth mode. In practice, services are often exposed through reverse proxies, containers, SSRF paths, SSH tunnels, or local port-forwards, so treating loopback as inherently trusted can let an attacker bypass all configured authentication if they can cause requests to originate from the host or a colocated process. Given this skill is a mission-control dashboard for monitoring agents, sessions, and costs, unauthorized local access could expose sensitive operational data and administrative capabilities.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill claims to be a monitoring/dashboard component, but this file also performs state-changing writes by creating and modifying topic.md files. That mismatch increases risk because users or integrators may grant it read-oriented trust while the code can silently alter project state, potentially changing workflow status or creating records without explicit operator intent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The file-writing behavior is not obviously justified by the stated purpose of a real-time dashboard, so it violates least surprise and can lead to unauthorized or unintended modifications. In practice, a consumer expecting observability may expose this skill in contexts where write access to Cerebro topics should never have been granted.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This dashboard is described as a monitoring and analytics interface, but it includes a state-changing endpoint that updates Cerebro topic status. Even if intended as normal product functionality, mixing monitoring with control actions increases risk because any authenticated dashboard user can alter system state through the same surface used for observability.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file exposes POST/PUT handlers that modify operator records and privacy settings, which goes beyond passive dashboard behavior. This is dangerous because a user who is only expected to observe system status can instead change metadata and conceal or alter visibility of operational data, undermining integrity and auditability.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /api/action endpoint accepts a generic action parameter and passes it to executeAction, creating an execution surface not justified by a monitoring dashboard's stated purpose. If executeAction maps to operational commands, an authenticated user could trigger privileged behaviors from the dashboard, turning an observability tool into a control plane and substantially increasing abuse impact.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The handler exposes active control operations such as run, pause, resume, skip, and kill even though the skill is described as a monitoring/view-only dashboard. This expands the attack surface from read-only observability to state-changing actions, enabling unauthorized or accidental operational changes if the surrounding server does not enforce strong authorization.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code provides remote execution and lifecycle management of jobs through HTTP endpoints, including triggering runs and killing jobs. In a dashboard context, these capabilities are powerful operational primitives that can be abused to execute workloads, disrupt scheduling, or terminate important processes, especially because this file itself performs no visible authorization checks before invoking the backend API.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code performs automated background scanning of session transcript files and extracts identifiable user information from Slack, Telegram, and Discord messages, then persists that data to operators.json. Even if intended for dashboard convenience, this expands collection beyond simple system vitals into cross-platform identity surveillance, creating privacy risk and potential unauthorized profiling if users did not explicitly consent.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This logic extracts and correlates identities across multiple communication platforms by regex-parsing transcript text, which is more invasive than ordinary dashboard telemetry. The capability is risky because it silently turns conversational content into a user identity index, increasing exposure of personal data and making accidental overcollection or misuse more likely.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The utility exposes a generic shell-command execution helper built on child_process.exec, which runs commands through a shell and can become command injection if any caller passes untrusted or partially controlled input. In a monitoring/dashboard skill, this broad primitive is more dangerous because it is unrelated to the stated purpose and can be reused anywhere in the codebase to execute arbitrary system commands, increasing the attack surface significantly.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code performs a privileged hardware probe by invoking `sudo -n powermetrics` during routine vitals collection for a dashboard. Even though it uses non-interactive sudo and appears intended only to read temperature, introducing sudo-capable execution into a monitoring component expands the attack surface and can trigger execution of privileged commands if sudoers permits it.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advertises browsing agent memory files, recent messages, and session details, but the excerpt does not pair those features with a prominent warning that these views may expose secrets, personal data, internal prompts, or confidential business content. In a dashboard skill focused on centralized monitoring, normalizing access to these artifacts without explicit caution increases the risk of accidental overexposure during demos, shared deployments, or misconfigured authentication.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README exposes a unified state API and live event stream for sessions, system vitals, and usage data without prominently warning that these endpoints may reveal sensitive operational and user/session information. In a dashboard context, especially one supporting remote modes like token, Tailscale, or Cloudflare, under-documenting data exposure increases the risk of accidental overexposure or insecure deployment.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
Potentially impactful operations such as running, pausing, and resuming jobs are executed immediately with a single click and no confirmation, warning, or friction. In an operations dashboard, accidental activation can disrupt automation, trigger costly workloads, or alter system state, especially because keyboard shortcuts and frequent UI interaction increase the chance of mistakes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal