ClawHub

Django Claw

Security checks across malware telemetry and agentic risk

Overview

This is a real Django admin helper, but it gives OpenClaw broad write-capable access to a configured Django project and under-discloses several high-impact behaviors.

Install only if you want OpenClaw to have trusted administrator-level access to the selected Django project. Enable read-only mode by default for production or sensitive databases, treat `django-claw shell` as arbitrary Python execution, review or remove generic aliases, and inspect `~/.openclaw/openclaw.json` after setup for persistent DJANGO_* changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises user-invocable command execution and the static analysis indicates environment access and file-writing capability, yet the manifest declares no permissions. In this context, the skill can modify persistent configuration and interact with local system state without clear permission boundaries, which increases the risk of unintended data exposure or configuration tampering.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior is substantially broader than the stated description: it supports arbitrary Django shell code execution, operational introspection, user/account enumeration, settings inspection, and persistent config modification. This mismatch is dangerous because users and downstream policy systems may authorize the skill for limited admin tasks while it actually enables code execution and sensitive application discovery well beyond that scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script enumerates all registered Django URL patterns, including route names and callback views, which expands the skill's capabilities beyond the stated manifest description. In a security context, hidden route discovery can materially aid reconnaissance by revealing administrative, internal, or undocumented endpoints that are useful for follow-on attacks or sensitive environment mapping.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script explicitly enumerates all Django users and prints identifying account data including usernames, emails, privilege level, and active status. That is sensitive directory information and exceeds the narrow management-command framing unless this capability is clearly declared, access-controlled, and justified; in an agent skill, undisclosed user enumeration materially increases privacy and reconnaissance risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill description focuses on Django management commands and ORM queries, but this script provides a ready-made capability to list every user account. In context, that broadens the operational scope from administration tooling into account discovery, which can aid targeting, phishing, privilege mapping, and other follow-on abuse if invoked by an over-privileged agent or operator.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script writes attacker-controlled input directly into a temporary Python file and executes it inside a fully initialized Django context. That enables arbitrary code execution with the permissions of the configured project, which goes far beyond narrowly scoped ORM querying and can be used to read files, access settings indirectly, invoke subprocesses, or modify application state.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code appends raw user input to a Python script and executes it via the project interpreter after calling django.setup(). In the context of a Django project, this exposes arbitrary application-code execution, allowing database writes, data exfiltration, secret access bypasses, and command execution, which is not justified by the stated purpose of management commands and ORM queries.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The claimed protection against sensitive settings access is only a brittle regex filter over the input string, while arbitrary Python execution remains available. An attacker can trivially bypass these checks through alternate imports, attribute construction, indirect access paths, or non-matching secret names, creating a false sense of safety around a dangerous primitive.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The setup script writes user-supplied Django project settings into the global ~/.openclaw/openclaw.json file, affecting gateway-wide environment variables rather than staying scoped to this skill. This creates cross-skill configuration contamination and can unexpectedly change how other skills or the gateway execute, especially if they trust these shared environment variables.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly advertises `makemigrations` and `migrate`, which can change schema and production state, but it does not prominently warn users about operational risk, backup requirements, or safe-environment expectations. In a tool designed to run commands directly against arbitrary configured Django projects, understated documentation increases the chance of accidental destructive use, especially in production.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents `django-claw shell: <code>` as a way to run Django ORM queries, which effectively exposes arbitrary code/query execution in the target Django context. Without a strong warning, examples, or constraints, users may assume this is safe for read-only inspection when it can modify or delete data, trigger side effects, or execute dangerous application logic.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports `django-claw shell: <code>` and maps it to execution of arbitrary code in the Django context, but the description does not prominently warn that this is arbitrary code execution rather than a limited ORM query interface. In the context of a configured Django project, this can expose secrets, modify application data, execute dangerous logic, and potentially reach connected infrastructure through application credentials.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints user email addresses directly from the database with no warning, minimization, or consent flow. Email addresses are sensitive personal data and exposing them through an agent skill increases privacy risk and provides a high-value target list for phishing or account enumeration.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The aliases for several commands are broad, generic phrases like "list models," "show apps," and "show users," which can plausibly appear in ordinary developer conversation and unintentionally trigger the skill. Because this skill can inspect project structure and potentially sensitive application/user information, accidental activation creates a real risk of unintended data exposure or operational actions.

Vague Triggers

High
Confidence
98% confidence
Finding
Aliases such as "migrate," "show logs," and "python version" are highly ambiguous and map to commands that may change application state, expose logs, or run environment inspection. In the context of an agent skill, these common phrases materially increase the chance of accidental execution from routine user requests, which is especially dangerous because the skill includes state-changing operations and ORM query capability.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description presents the skill as a general Django utility but does not clearly disclose that it can execute mutating management commands and arbitrary ORM queries on any configured project. This missing warning is dangerous because users and higher-level agents may treat it as informational tooling, while it actually has the ability to alter databases, inspect sensitive records, and affect production-like environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal