Back to skill

Security audit

Task Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw monitoring dashboard, but it can expose session details and prompt excerpts over an unauthenticated LAN-accessible web server.

Install only if you are comfortable with OpenClaw session metadata and first prompt excerpts being visible through this dashboard. Run it on a trusted machine, prefer changing the bind host to localhost, use firewall or authentication before any LAN exposure, and avoid it for sessions that may contain secrets, customer data, private instructions, or sensitive business content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions even though its documented behavior requires network exposure and access to environment/local system context. This creates a transparency and review gap: operators may approve or run the skill without understanding that it opens a server and accesses local OpenClaw-related data sources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose understates materially sensitive behavior: the skill reads local session transcript data, writes dashboard artifacts to disk, and exposes a server on 0.0.0.0 for LAN access. That mismatch is dangerous because reviewers and users may treat it as a simple local dashboard while it actually processes potentially sensitive task/session content and makes it reachable to other devices.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script reads full session transcript files to extract the first user message and publishes that content into a dashboard file. This expands the skill from operational status reporting into collecting and redisplaying potentially sensitive prompt or task content, which may expose secrets, private instructions, or user data to anyone with access to the generated dashboard.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The helper reads local OpenClaw transcript files and extracts the first user message, then the API includes that description in `subagents`, which the dashboard renders for any web client. Because the server binds to `0.0.0.0` and no authentication or authorization is present, a monitoring tool is exposing potentially sensitive prompt content from local transcripts to anyone who can reach the service.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
These lines attach transcript-derived `description` fields to subagent session objects and return them through `/api/status`, exposing task content over HTTP. In the context of a real-time dashboard, this exceeds operational monitoring and turns the endpoint into a data disclosure surface for prior user inputs and agent work context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises that the dashboard is accessible on the local network and exposes a JSON status API, but it does not warn that this may disclose sensitive session and task metadata such as models, token usage, session identifiers, descriptions, and cron activity to other users on the same LAN. In the context of an agent-monitoring tool, that information can aid reconnaissance or reveal operational details even if the service is intended for convenience on trusted networks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to run a dashboard accessible on the LAN and even advertises the LAN URL, but provides no warning that session/task data may be visible to other devices on the network. In context, the dashboard includes session stats, sub-agent descriptions, and cron history, so exposing it beyond localhost can leak operational and potentially sensitive user activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads user-derived transcript content from disk and exposes it through the web interface without any disclosure, consent boundary, or access control. This creates an information leakage path where sensitive prompts, secrets, or private data entered by users may be revealed to other local or network users.

Ssd 3

Medium
Confidence
95% confidence
Finding
The function extracts user-provided text from transcript JSONL files and returns it for display in the dashboard, directly exposing prior user inputs through the status interface. Since the app listens on all interfaces and lacks authentication, this can leak sensitive task instructions, credentials pasted into prompts, or private business data to unauthorized viewers.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dev": "node server.js"
  },
  "dependencies": {
    "express": "^4.22.1"
  },
  "keywords": [
    "monitoring",
Confidence
93% confidence
Finding
"express": "^4.22.1"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate-dashboard.js:9

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
server.js:499