Web Claw

Security checks across malware telemetry and agentic risk

Overview

Webclaw appears purpose-built for an OpenClaw web dashboard, but it installs and exposes powerful server and account administration actions that deserve manual review before use.

Install only on a server you administer and only if you want a persistent OpenClaw web dashboard with nginx/systemd integration. Before installing, verify the GitHub release and dependency sources yourself, restrict who can invoke webclaw actions, and treat password, session, SSL, and service-restart commands as privileged admin operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file explicitly exposes a Telegram-invoked management interface even though the skill description centers on a browser dashboard. That hidden or under-disclosed control surface can bypass expected web UI controls, auditing, and user expectations, increasing the chance of unauthorized administrative use.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script can obtain certificates, write nginx configuration, reload services, and otherwise administer host infrastructure using sudo. In a skill advertised as a web dashboard, this is a significant privilege boundary expansion and becomes dangerous if the invoking channel is compromised or insufficiently restricted.

Context-Inappropriate Capability

Low

Confidence: 84% confidence
Finding: The status output returns DB path and install directory, exposing filesystem layout and deployment details. While not severe on its own, this information can help an attacker target local files, backups, or follow-on privilege escalation attempts.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation triggers include broad phrases such as web UI, browser access, login page, nginx, and HTTPS/SSL that can overlap with ordinary assistance requests. In an agent environment, overbroad triggers can cause the wrong skill to activate and steer users into administrative or security-sensitive workflows they did not intend to invoke.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The action list includes sensitive operations such as password resets, disabling users, clearing sessions, restarting services, and SSL changes, but it does not consistently require explicit confirmation or warn about operational impact. If invoked accidentally or via ambiguous prompting, these actions can lock out users, disrupt service, or alter authentication and access state.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The script discloses internal configuration paths without warning or contextual need. Such disclosures aid reconnaissance by revealing where databases, installs, and service configs live on disk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The password reset action can immediately overwrite credentials and invalidate all sessions, and it even permits caller-supplied passwords. If the invocation channel is abused or a mistake is made, accounts can be taken over or locked out without any confirmation step or policy enforcement.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Disabling a user and clearing sessions is an account-impacting administrative action performed immediately with no confirmation barrier. In a chat- or agent-triggered workflow, accidental or unauthorized invocation can create denial of service against legitimate users.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Purging all sessions is a destructive global action that forces every user to reauthenticate, yet it executes immediately. If triggered maliciously or by error, it causes widespread disruption and can be used as an administrative denial-of-service mechanism.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: Restarting services is a privileged disruptive action and is executed without any confirmation or safety interlock. In a remote control context, this can be abused to interrupt availability or mask other malicious activity.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The installer fetches code from a remote GitHub repository and then executes dependency installation steps (pip install, npm install/build) on that fetched content during installation. Although the clone is pinned to a release tag, there is no cryptographic verification of the fetched source or dependency lock/verification, so a compromised repo, tag, or dependency supply chain could lead to arbitrary code execution during install.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal