Mission Control

Security checks across malware telemetry and agentic risk

Overview

Mission Control appears to be a real local OpenClaw dashboard, but installing it gives an unpinned external web app ongoing access to the OpenClaw gateway token and broad agent-control features.

Install only if you trust and review the linked GitHub project and npm dependencies. Pin the repository to a known commit, keep the server bound to localhost, avoid exposing it on a network without authentication, use a low-risk OpenClaw profile first, and inspect the systemd service before enabling persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly states it will auto-detect and load a gateway token from the user's OpenClaw config, but provides no warning about the sensitivity of that credential, how it is stored, or whether it is exposed to the web dashboard. In a browser-accessible control panel, silently ingesting an authentication token increases the risk of accidental disclosure, misuse by local users, or leakage through logs/UI if the application is not carefully designed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal