ClawHub

Clawctl

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local coordination tool, but its optional dashboard exposes task-changing controls over the network using a long-lived token placed in URLs.

Review before installing. Use it only for trusted agent fleets and trusted local users, keep the dashboard on localhost or a private network, treat dashboard URLs as secrets, and avoid exposing the shared database or token to untrusted agents, terminals, logs, or browsers. No evidence of exfiltration or destructive behavior outside the local coordination database was found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to use shell commands, environment variables, and a local SQLite-style database path, but it declares no permissions for env, file read/write, or shell access. This creates a capability mismatch: a host may grant broader access implicitly or users may run the skill without realizing it persists data and interacts with the filesystem. In this coordination-skill context, the behavior is expected, but the lack of explicit declaration weakens reviewability and least-privilege controls.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
`mark_messages_read` updates arbitrary message IDs when `message_ids` is supplied, but it does not verify that those messages belong to `to_agent=agent` or are broadcast messages visible to that agent. Any caller with access to this helper can mark other agents' messages as read, corrupting read-state integrity and hiding notifications or audit cues.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`cancel_task` allows any caller to cancel any task that is not already `done` or `cancelled`, with no ownership, role, or authorization check. In a coordination system for agent fleets, this enables unauthorized disruption of work by cancelling others' active or pending tasks.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The server advertises token auth, but the root route and HTML are accessible without authentication while the app binds to 0.0.0.0 for LAN/Tailscale exposure. If the frontend exposes sensitive state, embeds the token, or makes authenticated API calls from browser context, this weakens the trust model and can aid reconnaissance or unintended access patterns.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The dashboard reads the authentication token from location.search and appends it to API and SSE URLs, causing the secret to appear in browser history, server/access logs, referrers, bookmarks, and potentially intermediary monitoring systems. In a coordination dashboard for agent fleets, compromise of this token could expose task data and allow unauthorized task actions such as completion or deletion.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
A long-lived authentication token is persisted in a predictable file under the user's home directory without explicit permission hardening or user warning. On multi-user systems, shared environments, backups, or endpoint compromise, disclosure of this token would grant ongoing access to the dashboard APIs until the token is rotated.

Session Persistence

Medium
Category
Rogue Agent
Content
- **`clawctl/db.py`** — All SQL lives here. Every query uses `?` parameterized placeholders. Mutating functions return `(ok: bool, payload)` tuples. The `get_db()` context manager handles commit/rollback/close. This module is imported by both the CLI and the Flask server.
- **`clawctl/cli.py`** — Click commands. Each subcommand is a thin wrapper that calls `db.*` functions and formats output. The `print_columnar()` helper handles aligned table output with Unicode-aware width calculation.
- **`clawctl/schema.sql`** — Loaded by `db.init_db()` via `Path(__file__).parent`. Uses `CREATE TABLE IF NOT EXISTS` so re-running init is safe.
- **`dashboard/server.py`** — Flask app that imports `clawctl.db`. Read-only except for claim/complete endpoints. Persistent auth token saved to `~/.openclaw/.clawctl-token`. Not part of the installable package.
- **`dashboard/index.html`** — Single-file vanilla JS web UI. Tailwind via CDN. SSE for live updates.
Confidence
79% confidence
Finding
CREATE TABLE IF NOT EXISTS` so re-running init is safe. - **`dashboard/server.py`** — Flask app that imports `clawctl.db`. Read-only except for claim/complete endpoints. Persistent auth token saved to

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal