gateway-control-ui

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed instruction-only guide for OpenClaw gateway login and device pairing, with sensitive credential steps that require careful handling.

Use this only when you intend to access and pair with your OpenClaw gateway. Treat the gateway token and service password as secrets, avoid embedding credentials in a URL when possible, redact logs or screenshots, and approve only device pairing request IDs you recognize.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the operator to retrieve a gateway authentication token from a local config file and to use service credentials for HTTP Basic Auth, but it provides no warning about secret handling, redaction, storage, or output exposure. In an agent setting, these steps can cause credentials or tokens to be displayed in logs, chat transcripts, terminal history, screenshots, or copied into untrusted contexts, enabling unauthorized access to the gateway UI and device-pairing workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal