v1.1.2

Mission Control

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:57 AM.

Analysis

Mission Control is a coherent dashboard skill, but its artifacts show a default no-auth backend with broad mutation and agent-dispatch capabilities that users should review before installing.

GuidanceReview and harden the backend before installing or running on a network: enable authentication, keep Mission Control bound to localhost unless needed, firewall its ports, protect the hook secret and gateway token, and decide what agent outputs are appropriate to store in the Library.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

setup.sh

AUTH_MODE=none
LOCAL_AUTH_TOKEN=
...
HOOK_SECRET=$MC_SECRET

The installer generates a backend configuration with authentication disabled while the skill documents many POST/PATCH/DELETE APIs for projects, tasks, approvals, requests, reviews, library documents, and dispatch state.

User impactIf the backend API is reachable by another local or LAN user, they may be able to alter dashboard data, approve or reject workflow items, or affect agent workflows without authentication.

RecommendationEnable token authentication before exposing the backend, bind it to localhost unless LAN access is required, firewall port 8000, and require auth for all mutating and dispatch endpoints.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

docs/GETTING-STARTED.md

By default, Mission Control only listens on `localhost` ... The backend already listens on all interfaces when you set `PORT=8000`

The documentation gives a mixed safety message: it tells users the dashboard is local-only by default, but also states the backend listens on all interfaces, which is risky when auth is disabled.

User impactA user may believe the system is only accessible from their own machine while the backend API is actually reachable from other network hosts.

RecommendationClarify the binding behavior, default the backend to localhost, and warn users to enable authentication and firewalling before LAN exposure.

Rogue Agents

SeverityLowConfidenceHighStatusNote

setup.sh

cp "$SCRIPT_DIR/hook.ts" "$HOOKS_DIR/mission-control-hook.ts"
...
openclaw hooks enable mission-control

The installer copies and enables a lifecycle hook so Mission Control continues receiving OpenClaw events after setup.

User impactAgent lifecycle monitoring and event posting continue across sessions until the hook is disabled.

RecommendationInstall only if you want ongoing monitoring, and know how to disable or remove the mission-control hook from OpenClaw.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

hook.ts

const HOOK_SECRET = process.env.MISSION_CONTROL_HOOK_SECRET || ""; ... "X-Hook-Secret": HOOK_SECRET ... body: JSON.stringify({ event, agentId, taskId, data, timestamp: new Date().toISOString() })

The hook uses a shared secret to authenticate lifecycle-event posts to Mission Control and sends agent/task/session event data to the configured backend.

User impactThe configured backend receives operational metadata about agent sessions and tasks, and anyone with the hook secret can submit hook events.

RecommendationUse a strong secret, keep MISSION_CONTROL_URL pointed only at a trusted backend, and rotate the hook secret if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

docs/API-REFERENCE.md

GET | `/api/dispatch/pending/:agentId` | Poll for undelivered events. Marks as delivered. ... Mission Control also tries to push them via the gateway's `/hooks/agent` HTTP endpoint and WebSocket `agent` method.

Agent-directed messages can be delivered through gateway push or polled by agentId, and the documented polling endpoint marks messages delivered; combined with default no-auth configuration, origin and permission boundaries are unclear.

User impactIf exposed, another caller could interfere with agent-directed messages, consume pending instructions, or disrupt delivery state.

RecommendationRequire authenticated agent identity for polling and acknowledgement, sign or validate dispatched events, and keep gateway and dispatch routes private.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

When you produce research, reports, documentation, analysis, or any reference material, publish it to the Library so it's organized and searchable.

The skill intentionally stores produced content in a searchable Library, creating persistent context that may include sensitive work product.

User impactDocuments, summaries, and reports may remain searchable in the Mission Control database after the original task ends.

RecommendationReview what agents publish, avoid storing secrets or private data unnecessarily, and configure access controls and retention for the Library.