ClawHub

Task Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate OpenClaw monitoring dashboard, but it can expose session and task details from local transcripts over an unauthenticated LAN-accessible web service.

Install only if you are comfortable with OpenClaw session metadata and first-prompt task descriptions being displayed by a local web dashboard. Prefer running it on localhost only, behind authentication, or on a trusted isolated network; avoid use if session prompts may contain secrets, customer data, internal instructions, or other sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and relies on network access and environment-backed local capabilities, but does not declare permissions. This weakens the trust boundary for reviewers and users because the skill can expose session/task data over HTTP and access local OpenClaw-derived data without explicit disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description understates the actual behavior: the skill reads local transcript content, writes dashboard files, manages background server state, and exposes monitoring data on a LAN-accessible interface. This mismatch is dangerous because operators may install it expecting a simple dashboard, while it actually processes sensitive local data and serves it over the network.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script reads per-session transcript files and extracts the first user message to populate the dashboard. That expands the feature from session metadata display into content harvesting, which can expose sensitive prompts, secrets, or private task details to anyone with access to the dashboard file.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The helper reads local OpenClaw transcript files and extracts the first user prompt, then the dashboard returns that description to any client. This exposes potentially sensitive prompt/task content unrelated to basic operational monitoring, creating an information disclosure risk if prompts contain secrets, internal instructions, or personal data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The service listens on 0.0.0.0 and exposes an unauthenticated dashboard/API containing session metadata and transcript-derived task descriptions to the entire LAN or any reachable network. In this skill context, the data relates to active agent sessions and tasks, so unauthorized users could monitor activity and harvest sensitive operational details without any barrier.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The changelog explicitly tells users to access the dashboard via `http://<your-ip>:3030`, which normalizes LAN exposure of a monitoring service without any warning about who on the network can view it or whether authentication is required. For a dashboard that surfaces session, sub-agent, Discord, and cron job status, exposing it beyond localhost can leak operational metadata to other devices on the local network and increases the attack surface.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states the dashboard is accessible on the local network and documents an unauthenticated JSON status endpoint that exposes session metadata such as models, token counts, session IDs, descriptions, and cron activity. Even though this is documentation rather than code, it describes and encourages deployment of a monitoring service that may leak operationally sensitive information to any host that can reach port 3030, with no warning about access control or privacy risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown explicitly says the server is accessible on the LAN and exposes monitoring/API endpoints, but provides no warning that session and task data may be visible to other devices on the network. In the context of an OpenClaw monitoring skill, this increases risk because dashboards may reveal transcript-derived task descriptions, agent activity, and cron metadata to unintended parties.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes markdown containing user-derived task descriptions into a predictable file under the user's home directory. Republishing transcript-derived content increases exposure beyond the original session store and may leak sensitive information to other tools, users, or sync processes that read the dashboard.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code opens transcript JSONL files, parses the first message, and republishes that content into the dashboard without sanitization or user warning. In a monitoring skill, this is more dangerous because operators expect operational visibility, not reuse of session contents, so sensitive prompts can be unintentionally disclosed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads user transcript files and surfaces their contents as task descriptions without any warning, consent, or access control. Even though only excerpts are shown, those excerpts may still contain secrets, personal information, or sensitive instructions, making this an unintended privacy and data-leak issue.

Missing User Warnings

High
Confidence
97% confidence
Finding
Configuring the service for LAN-wide access on 0.0.0.0 materially increases the blast radius of the exposed session metadata and task descriptions. Because the skill is a real-time monitor for OpenClaw sessions and background tasks, the combination of network exposure and lack of warning/access control makes sensitive operational visibility available to unintended parties.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal