Live Monitoring Dashboard

Security checks across malware telemetry and agentic risk

Overview

This dashboard has a legitimate monitoring purpose, but it can send local system and OpenClaw activity data to hardcoded Discord destinations and can read a local Discord bot token for direct API writes.

Review before installing. Replace all hardcoded Discord user/channel/message IDs, avoid the direct token-reading REST script unless you intentionally want that path, confirm exactly what telemetry will be posted and where, and know how to disable the OpenClaw cron job before enabling continuous updates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises shell-based behavior and environment access but does not declare permissions, which weakens reviewability and informed consent for a package that monitors host activity and posts externally. In this context, hidden shell/env capability is security-relevant because the skill handles system metrics and likely secrets-adjacent configuration, so undeclared capability increases the chance of unsafe execution or policy bypass.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a substantive mismatch: the skill claims to use OpenClaw message tooling, but the described behavior includes reading the Discord bot token from local config, making direct Discord REST calls with curl, and relying on hardcoded IDs. That expands trust boundaries, bypasses safer platform abstractions, and can expose credentials or send data to unintended destinations, especially in a continuously running monitoring skill.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The setup guide claims the skill already includes live Discord integration and lists created files, but the earlier instructions describe Discord posting as something the user must manually modify into the monitor. This mismatch is security-relevant because operators may assume external messaging behavior has been fully implemented, reviewed, and is safe, when in fact they may be encouraged to add or trust unverified message-sending logic.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script invokes host shell commands via execSync to enumerate cron jobs and processes, giving the skill OS-level inspection capability beyond simple Discord formatting. Although the current commands are hardcoded, this expands the trust boundary and can expose sensitive host metadata or become command-injection prone if future changes incorporate untrusted input.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script invokes a shell via execSync to run a pipeline for process inspection. Even though the command string is static here, spawning a shell is broader and riskier than necessary in an always-on monitoring skill, and in this context it expands the skill's host-inspection capability beyond what a Discord dashboard description suggests; if the skill runs with elevated privileges, it also reveals host process metadata that may be sensitive.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The generated session script invokes shell commands via execSync (`openclaw cron list` and `ps aux | grep ...`) inside an agent/session context. Even though the commands are currently hard-coded, this unnecessarily grants command-execution behavior to a Discord dashboard helper and expands the attack surface in a privileged runtime where environmental manipulation, PATH hijacking, or future parameterization could turn this into arbitrary command execution or sensitive system enumeration.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The script executes shell commands to inspect cron state and host processes even though it is described as a simple dashboard formatter. In a monitoring skill this may be functionally expected, but invoking shell commands expands the trust boundary, depends on PATH/shell behavior, and exposes host operational metadata that could become sensitive if output is posted to Discord or run in a less-trusted environment.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script reads a Discord bot token from a local config file and uses it to perform authenticated API writes. While this may be functionally necessary, it is still a real security concern because the skill silently consumes a sensitive credential and grants itself the ability to post or modify Discord content, which expands the blast radius if the script is modified, misused, or run unexpectedly.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises outbound Discord API communication for continuous monitoring updates, but it does not clearly warn users that operational and system-health data will be transmitted to a third-party service. In a monitoring skill, that omission matters because users may enable it without understanding that host metadata, usage patterns, session information, or other sensitive telemetry could leave their environment.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup instructions recommend running automated Discord posting via cron every 30 seconds without any clear warning that this creates repeated external actions and persistent outbound communication. In an agent environment, that can lead to unintended data disclosure, spam, noisy persistence, and continuous execution that users may enable without understanding the operational or security consequences.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill openly describes automatic periodic Discord updates containing system health, cron, session, and activity data, but does not prominently warn that this information leaves the host and is transmitted to a third-party service. For a monitoring/dashboard skill, that context makes the omission more dangerous because the data flow is continuous, automatic, and may include sensitive operational metadata useful to attackers.

Natural-Language Policy Violations

Medium

Confidence: 79% confidence
Finding: A hard-coded default user ID silently binds the integration to a specific account context, which can cause actions, monitoring scope, or future messaging features to operate against the wrong user without operator awareness. In an agent skill that interfaces with monitoring and potential Discord posting, this creates an authorization and privacy risk because activity may be attributed to or targeted at an unintended account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script automatically transmits operational telemetry to Discord, including process counts, cron job counts, uptime, memory, CPU, and disk information, without any visible consent, disclosure, or access-control checks in the script itself. While this appears intended for monitoring rather than abuse, exposing internal system metadata to an external messaging platform can leak environment details useful for reconnaissance and may violate least-privilege or privacy expectations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends operational telemetry to Discord, including process counts, cron job counts, uptime, memory, CPU, and disk usage, without any consent check, disclosure, or scoping control. Even though the data is not highly secret by itself, it exposes internal system state to an external third-party service and can aid reconnaissance, especially because this skill is specifically designed for persistent off-host monitoring.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accesses a sensitive Discord bot token from local configuration and immediately uses it for outbound requests without any disclosure, prompt, or clear security boundary. In a skill ecosystem where users may install third-party automation, silent credential use is dangerous because it can normalize hidden secret consumption and make credential abuse harder to detect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script sends host operational data to Discord, including process counts, cron-job counts, uptime, memory, CPU, and disk usage, without any consent prompt, visibility control, or destination validation beyond a fixed channel ID. In a monitoring skill this behavior is expected, but it still creates an information-disclosure risk if the Discord channel is accessible to unintended parties or if users are unaware the telemetry is being published externally.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Method 2: Cron Job Integration (Recommended) Create a cron job to run the dashboard automatically: ```bash # Add this cron job to run every 30 seconds
Confidence: 95% confidence
Finding: Create a cron job to

Session Persistence

Medium

Category: Rogue Agent
Content: ### Method 2: Cron Job Integration (Recommended) Create a cron job to run the dashboard automatically: ```bash # Add this cron job to run every 30 seconds
Confidence: 95% confidence
Finding: Create a cron job to run the dashboard automatically: ```bash # Add this cron job to run every 30 seconds openclaw cron add --name "Live Dashboard Update" --schedule "*/30 * * * * *" --isolated --pay

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal