ClawHub

KokoChat Pairing

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly for KokoChat pairing, but it also creates persistent relay credentials and tries to manage a background relay process without clear user-facing control.

Install only if you intend this skill to approve KokoChat as an operator-capable OpenClaw device and to set up relay-based connectivity. Treat the returned connection code like a password, because it contains usable device and relay credentials. Review or remove the created ~/.openclaw/devices and ~/.openclaw/kokochat-relay state if pairing was unintended, and be aware the bundled artifact references a relay connector that is not included here.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it approves pairing and returns a connection code, but the implementation also provisions relay credentials, writes persistent relay configuration, and starts a detached background connector process. That hidden side effect expands the trust boundary from local token issuance to persistent network service management, which can surprise users and create unintended long-lived connectivity.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code spawns a detached external process and manages other PID files, including stopping previously running connectors, even though this is not narrowly necessary to validate a pairing request and print a code. Process creation plus network connector management creates persistence and remote connectivity side effects that increase attack surface and make misuse harder for users to detect.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The skill requests filesystem_write and network capabilities and describes approving devices, but the operational instructions do not clearly warn the operator that running the pairing flow will persist approved device metadata locally and may establish network-backed relay behavior. This weakens informed consent and can lead users to authorize a new device without understanding the local state change and trust implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints a base64url setup blob containing a freshly approved device token and a relay URL whose query string embeds the relay secret. Anyone who can read stdout, logs, shell history, copied chat transcripts, or intercepted output can reuse those credentials to impersonate the paired device or attach to the relay tunnel.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script silently reads local configuration from openclaw.env and then uses those values to configure outbound relay behavior and start a background connector, without any disclosure in the advertised skill behavior. Hidden use of local config and network startup is risky in an agent skill because users may expect a pure formatting/approval action, not environment-driven persistent connectivity.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal