Back to skill

Security audit

Openclaw Command Center

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate OpenClaw dashboard, but it exposes sensitive agent data and control actions with weak default scoping that users should review before installing.

Install only if you intend to run an administrative dashboard over your OpenClaw workspace. Before use, bind it to localhost or a trusted network, enable token/Tailscale/Cloudflare auth, avoid public tunnels unless access is strongly protected, and review whether operator auto-discovery, job controls, and optional Linear sync are acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and installs a shell-launched Node server with implied access to environment variables, local files, and network services, yet it declares no permissions. This creates a transparency and trust problem: users may install or run it without understanding that it can read workspace data, expose it over HTTP, and interact with the host system.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is a passive monitoring dashboard, but the analyzed behavior includes active job control, persistent file modification, transcript analysis, identity extraction, and external API integration. That mismatch is security-relevant because users may grant trust appropriate for a read-only dashboard while the skill can change system state, process sensitive conversation data, and communicate externally.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The server exposes state-changing endpoints for jobs and Cerebro topic status, including run, pause, resume, skip, kill, cache clear, and topic status mutation. That exceeds the stated monitoring/dashboard purpose and increases risk because a UI marketed as observational is actually capable of operational control, which can be abused if auth is misconfigured or bypassed.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill scans session transcripts and extracts human identifiers from Slack, Telegram, and Discord to build operator profiles and activity metadata. This creates a surveillance/privacy risk and broadens the sensitivity of the dashboard by collecting cross-channel identity data without clear consent or minimization.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The dashboard is described as a monitoring/viewing skill, but the UI exposes state-changing administrative operations such as health checks, gateway actions, stale-session pruning, topic status mutation, and privacy-setting persistence. Expanding a monitoring surface into a control plane increases attack surface and raises the consequences of unauthorized UI access or CSRF/misuse through the browser.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script goes beyond passive dashboard functionality and performs host-level package installation based on project-controlled configuration data. Even if intended as a convenience feature, it creates a trust boundary violation: running the skill can modify the host system, invoke package managers, and execute installation commands that the user may not expect from a monitoring dashboard.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The Node snippet loads dependency metadata and then directly executes shell commands from that data via execSync(cmd, { stdio: 'inherit' }). This gives the project the ability to run arbitrary host commands with the user's privileges, making the feature dangerous if the config is modified, the repository is compromised, or the skill is installed in an environment that expects only dashboard/monitoring behavior.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file does more than passive monitoring: it mutates external Linear issues and posts comments based on local session activity. That creates an integrity-impacting side effect outside the dashboard's stated "view all your AI agents in one place" purpose, and can be abused or misfire to alter issue workflow without explicit authorization or operator intent.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code reads session transcripts from disk and uses their contents to drive synchronization to an external tracker, which expands the data-access scope beyond a typical monitoring dashboard. Even if only issue IDs are extracted here, this still processes potentially sensitive transcript data and creates external side effects from it without clear minimization or authorization boundaries in this file.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script can deliberately expose the locally hosted dashboard to the public internet by launching a Cloudflare tunnel. For a monitoring/control dashboard, this materially expands the attack surface and may permit unauthorized access to session data, agent telemetry, or control features if the web app lacks strong authentication and transport/security controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Including built-in public tunneling capability in a dashboard startup script is risky because it makes external exposure a first-class feature, despite the skill being described as a monitoring dashboard rather than a remote publishing service. If used on a system with sensitive agent data or operational controls, an attacker who discovers the tunnel URL could access internal observability and potentially administration surfaces.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The classifier persistently stores learned topics and session references derived from transcripts to disk, which creates a data-retention capability beyond transient classification. In a dashboard/monitoring skill, retaining transcript-derived metadata and session linkage increases privacy risk because sensitive user activity can be reconstructed over time if the state file is accessed or misused.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code stores per-session topic history by associating discovered topics with session keys, enabling longitudinal tracking of session activity. Even if the content itself is not stored, topic/session linkage can reveal user behavior patterns and sensitive themes discussed across sessions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The server is described as a monitoring dashboard, but it also exposes multiple state-changing endpoints such as topic status updates, operator writes, privacy settings writes, and job/action handling. Even if these are intended admin features, expanding a monitoring surface into a control plane increases risk because any authentication misconfiguration, exposed token, or network exposure turns the dashboard into a mutation interface for local agent state and operational data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The `/api/action` route accepts a generic `action` parameter and passes it into `executeAction(...)`, which is much broader than the stated dashboard purpose and creates an administrative execution primitive. Without very tight allowlisting and authorization, this kind of endpoint can become a confused-deputy mechanism for triggering sensitive OpenClaw operations, potentially leading to command execution, workflow manipulation, or unintended side effects from a web-accessible interface.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The handler exposes state-changing job control endpoints such as run, pause, resume, skip, kill, and cache clear, while the skill is described as a monitoring/viewing dashboard. Even if these routes are intentional operational features, they expand the skill from observation into active control, increasing the attack surface and enabling unauthorized or accidental disruption if access controls are weak or absent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Providing execution and termination capabilities from a dashboard endpoint allows a user or attacker with access to trigger jobs or kill running work, which can cause denial of service, unsafe task execution, or operational misuse. The code does not show local authorization checks for these sensitive actions, so the danger is amplified if this router is reachable from a broader dashboard audience.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code performs background mining of session transcripts to derive operator identities and then persists them to disk, which exceeds the stated dashboard purpose of session monitoring, usage tracking, and system vitals. Even if intended for convenience, it creates an undisclosed identity-correlation dataset from user conversations, increasing privacy and insider-risk exposure if the dashboard or host is accessed by unauthorized parties.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code parses message contents to extract Slack, Telegram, and Discord identities using regexes, allowing cross-platform identification from transcript text that users may not expect to be repurposed this way. In the context of a command-center dashboard, this broad collection is not clearly necessary and can facilitate user profiling, correlation across systems, and leakage of personally identifying metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This utility module exposes a generic shell execution primitive via `runCmd(cmd, options)` using `child_process.exec`, which invokes a shell and is highly susceptible to command injection if any caller passes untrusted or partially influenced input. In a mission-control dashboard context, this is especially risky because such dashboards often aggregate system, agent, and session data from multiple sources, increasing the chance that external input could reach this helper and lead to arbitrary command execution on the host.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README advertises features such as browsing memory files, viewing session details, operator activity, and privacy controls, but it does not prominently warn that these views may expose sensitive prompts, internal notes, user content, or operational metadata. In a dashboard for AI agents, normal use could unintentionally reveal confidential information to anyone with dashboard access, especially if authentication is misconfigured or disabled for local convenience.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the dashboard runs on localhost and exposes unified state and event APIs, but it does not clearly warn that these endpoints may aggregate sensitive session, cost, operator, and system telemetry. In practice, local web services are often exposed via port forwarding, VPNs, tunnels, or misconfiguration, so under-warning users increases the chance of accidental data exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The server sets Access-Control-Allow-Origin to '*' globally and defaults auth mode to 'none', while many endpoints expose detailed session, operator, transcript-derived, and system data. In common deployments this makes sensitive data broadly reachable and script-accessible, especially if the service is bound beyond localhost or proxied externally without strong auth.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The 'Clean Stale Sessions' action is exposed as a one-click operation with no visible warning, confirmation, or undo path. This makes accidental destructive actions more likely and lowers the bar for abuse if an attacker can induce clicks or gain access to the dashboard session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tunnel can be started with only a minimal status message and no explicit warning that the dashboard will become reachable from outside the host. This increases the chance of accidental exposure by users who may not understand that a local monitoring UI is being published to the public internet, especially in environments where the dashboard contains sensitive operational or cost data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/server.js:461

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/install-system-deps.sh:50

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/linear-sync.js:495

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/llm-usage.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/openclaw.js:46

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/iostat-leak.test.js:16

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/server.test.js:14