ClawHub

Pipedream Connect

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Pipedream integration, but it handles powerful tokens and optional background persistence in ways users should review before installing.

Install only if you trust this publisher and need OpenClaw agents to access apps through Pipedream. Review who can call the Pipedream gateway RPCs, protect ~/.openclaw/secrets.json and mcporter config files, avoid exposing the dashboard to untrusted users, and only run the cron setup if you want ongoing background token refresh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
This code enumerates all agents and queries each agent's Pipedream status from a global UI path, which expands visibility beyond the currently selected agent. In a multi-tenant or least-privilege design, broad cross-agent enumeration can expose integration metadata such as which agents are configured, their external user IDs, and app counts to users who should only manage one agent.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This setup script establishes persistence by copying a script into the user's home directory and modifying the user's crontab to run it indefinitely. Even if intended for token refresh, persistent background execution expands the skill's capabilities beyond simple integration setup and creates a durable execution path that could be abused if the refresh script is modified or compromised later.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code installs a recurring cron job that will continue executing without further user interaction. In a skill whose stated purpose is app integration, this background persistence is more sensitive because it creates an ongoing foothold and periodic execution channel, which could be leveraged for unauthorized actions if related files or environment state are later altered.

Credential Access

High
Category
Privilege Escalation
Content
setState((prev) => ({ ...prev, connectingApp: appSlug, error: null, success: null }));

  try {
    // Get access token and credentials from backend
    const tokenResult = await client.request<{
      success: boolean;
      error?: string;
Confidence
82% confidence
Finding
access token

Session Persistence

Medium
Category
Rogue Agent
Content
fi

# Check if cron job already exists
if crontab -l 2>/dev/null | grep -q "pipedream-token-refresh"; then
    echo "ℹ️  Cron job already exists"
    crontab -l | grep "pipedream-token-refresh"
else
Confidence
84% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
# Check if cron job already exists
if crontab -l 2>/dev/null | grep -q "pipedream-token-refresh"; then
    echo "ℹ️  Cron job already exists"
    crontab -l | grep "pipedream-token-refresh"
else
    # Add cron job (runs every 45 minutes)
    CRON_LINE="*/45 * * * * /usr/bin/python3 $REFRESH_SCRIPT --quiet >> $LOG_DIR/pipedream-cron.log 2>&1"
Confidence
84% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
else
    # Add cron job (runs every 45 minutes)
    CRON_LINE="*/45 * * * * /usr/bin/python3 $REFRESH_SCRIPT --quiet >> $LOG_DIR/pipedream-cron.log 2>&1"
    (crontab -l 2>/dev/null || echo "") | { cat; echo "$CRON_LINE"; } | crontab -
    echo "✅ Added cron job: runs every 45 minutes"
fi
Confidence
95% confidence
Finding
crontab -l

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal