ClawHub

Mission Control

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Mission Control dashboard skill, but it installs persistent hooks and ships broad automatic reporting with insecure default access controls that users should review before installing.

Install only in a trusted local or private environment. Before using it with real work, enable AUTH_MODE=local with a strong LOCAL_AUTH_TOKEN, set a non-placeholder HOOK_SECRET, restrict CORS_ORIGIN, avoid exposing the Docker ports publicly, and review what document content, file paths, error context, model/provider data, and cost telemetry agents will send to Mission Control. Treat the Library renderer/XSS findings as issues to fix before allowing untrusted agent or user content in the dashboard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes environment-variable access, network communication, and shell/tool installation capabilities without explicitly declaring permissions or trust boundaries. That mismatch makes it easier for the skill to transmit data, call arbitrary local services, or install/execute code without clear operator awareness, which is especially risky because the skill instructs the agent to send task data, file paths, and session metadata to an HTTP endpoint.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose presents the skill as a reporting/integration helper, but the documented behavior extends into broad workflow orchestration, task/project management, event dispatch, persistence, and operational control. This description-behavior gap can mislead users and automated policy systems about the true authority and data-handling scope of the skill, increasing the chance of over-privileged use and unintended actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest says the skill is for reporting progress, publishing documents, approvals, and request submission, but the body also instructs the agent to create tasks directly through task APIs. That hidden expansion of scope matters because task creation changes backend state and can trigger downstream workflow automation beyond simple reporting.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Changing project status triggers dispatcher callbacks that can cause owner-agent lifecycle actions, effectively turning a normal data update into an action-executing control path. In a skill meant for backend reporting and coordination, this increases risk because any caller able to patch project status may indirectly trigger agent behavior, creating an unintended privilege boundary crossing if authorization is weak or absent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file establishes a persistent WebSocket connection to an external OpenClaw gateway, authenticates with a bearer token, receives presence/health/agent telemetry, and stores or rebroadcasts that data locally. Those capabilities materially exceed the stated Mission Control purpose of task progress, approvals, publishing, and project requests, creating an undeclared data-flow and control surface that could expose operational metadata or enable unauthorized monitoring if the gateway is misconfigured or hostile.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code processes live presence, agent state, health, and heartbeat events, writes agent records into the database, and broadcasts those updates internally. In the context of a skill advertised for reporting tasks and approvals, this acts as covert operational monitoring functionality; if connected to an attacker-controlled or unintended gateway, it could feed false telemetry, leak availability data, or normalize unauthorized surveillance of agents.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The stylesheet imports Google Fonts from a third-party domain, which causes client browsers to make external requests and disclose metadata such as IP address, user agent, and timing information. In a Mission Control dashboard skill, this dependency is not necessary for core functionality and slightly expands privacy and supply-chain exposure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This component renders attacker-controlled content with dangerouslySetInnerHTML after only regex-based filtering, which is not a safe HTML sanitization strategy. Multiple renderer methods interpolate unescaped values into attributes and element bodies, so crafted markdown/HTML can lead to DOM XSS despite the stripping function.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The safety claim in the header is contradicted by the implementation: href, title, alt/text, table cells, code spans, and CSV fields are inserted into HTML without consistent escaping before the final HTML is injected into the DOM. Because the downstream sink is dangerouslySetInnerHTML, these gaps enable scriptable markup or attribute injection and make the stated XSS protection ineffective.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented API surface expands beyond the stated Mission Control purpose of task progress, approvals, publishing, and project requests by adding session telemetry and agent-state reporting. This broadens data collection and control channels, increasing privacy and monitoring risk and creating opportunities for unnecessary operational surveillance or misuse if the backend is compromised or over-permissive.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The session:ended payload collects detailed model, provider, token, cache, and cost telemetry that is not required for core task reporting or document publishing. This creates unnecessary disclosure of operational metadata that could reveal internal model usage patterns, spending, and workload characteristics to the receiving service or any party with access to collected logs.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The agent lifecycle events such as agent:idle and agent:error enable continuous monitoring of agent behavior outside the core documented scope. While lower impact than token telemetry, they still add an unnecessary observability channel that can expose workflow state, failures, and timing information useful for profiling or misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes automatic installation and states that agent communications are sent via HTTP POST to a backend, but it does not warn users that task data, approvals, deliverables, and cost information may be transmitted off-agent and persisted by an external service. In a skill that is explicitly injected into agent workflows and lifecycle hooks, this omission is security-relevant because operators may enable broad data exfiltration or system changes without understanding the privacy and operational impact.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation guidance says to use the skill whenever tasks start, complete, fail, need approval, or produce documents, which is broad enough to activate it during routine work. In context, that means frequent network transmission of operational data to Mission Control and increases the chance that sensitive content, file paths, or metadata are sent automatically without a deliberate decision point.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The publishing workflow directs the agent to send full document content, collection metadata, project identifiers, and source file paths to Mission Control without any warning or data-minimization step. In security context, this can exfiltrate sensitive research, secrets embedded in documents, internal filesystem structure, or regulated data to a backend that may be remote or insufficiently protected.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The session lifecycle and status reporting sections instruct the agent to transmit token usage, provider/model details, errors, and operational state with no warning about privacy or telemetry implications. While less severe than document-content publication, this still leaks potentially sensitive workload patterns, model/provider choices, and internal error context to the Mission Control backend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The /stats endpoint returns broad operational data including full blockedTasks, stalledTasks, and recentActivity records, not just aggregate counts. In this file there is no visible authentication, authorization, or field-level minimization, so if this route is reachable by untrusted clients it can expose sensitive project, task, agent, and activity information useful for reconnaissance or data leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /stream SSE endpoint appears to allow any client to establish a long-lived connection and receive all backend broadcasts, while also setting Access-Control-Allow-Origin: *. In a mission-control context, real-time updates may contain sensitive workflow, approval, project, or operational event data, making this a significant confidentiality risk and potentially enabling passive monitoring by unauthorized parties.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
After a review decision, the code automatically dispatches outbound events to an agent via onReviewApproved/onReviewChangesRequested/onReviewRejected with no visible user-consent or disclosure control in this file. That can leak review outcomes, notes, and associated task/project context to external or semi-external consumers unexpectedly, which is particularly sensitive in a Mission Control integration that handles approvals and operational status.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code automatically moves stalled tasks from 'doing' back to 'todo' and clears the assigned agent without notifying or obtaining confirmation from the affected user. In a mission-control workflow, this can cause silent loss of ownership, duplicate work, and confusing task state transitions, especially if a task was still actively being worked but simply missed an update or heartbeat.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The service is configured with insecure defaults for authentication and secrets: AUTH_MODE defaults to 'none', LOCAL_AUTH_TOKEN defaults to empty, and HOOK_SECRET defaults to a known placeholder. In a skill intended to report task progress, publish documents, and request approvals over HTTP/WebSocket-connected backend services, these defaults can expose privileged workflow actions to unauthorized users if deployed without explicit hardening.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Loading fonts from fonts.googleapis.com results in user browsers contacting a third party, which can expose client metadata without any indication in this file that users are informed or that consent is obtained. While not a severe exploit path, it is a real privacy issue and is less appropriate in an internal task/reporting interface like Mission Control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-action approve/reject buttons immediately submit a decision with no confirmation, no display of key consequences, and no requirement to review notes or workflow context first. In this skill, some approvals are explicitly tied to a resume_token that can resume paused workflows, so an accidental click can trigger operational changes or advance automation without deliberate human verification.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The component renders server-provided `d.content_highlight` directly with `dangerouslySetInnerHTML` after only truncating it with `slice(0, 150)`, which does not sanitize HTML or prevent scriptable payloads. If the backend search index or stored document content can be influenced by a user or agent, this creates a stored or reflected XSS path in a privileged dashboard that may expose session data or allow actions as the victim.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-action buttons immediately call handleDecide to approve or request changes without any confirmation, context review, or safeguard against accidental clicks. In a mission-control workflow, a mistaken approval or change request can alter task state, trigger downstream automation, and create integrity issues in review records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal