ClawHub

Claw List

Security checks across malware telemetry and agentic risk

Overview

Claw-List is a coherent self-hosted todo-list skill, but its bundled server has unauthenticated admin and identity controls that can expose or alter task data if reachable by others.

Install only for a trusted private deployment or put the API/UI behind real authentication and network controls. Do not expose the documented 0.0.0.0/plain-HTTP setup to untrusted networks, treat agent IDs as secrets, confirm destructive actions, and avoid putting secrets, credentials, personal data, or raw conversation transcripts in notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly states that agents can self-register via `/admin/agents` with no authentication, while the rest of the design relies on agent identity and scope for access control. In a system where identity appears to be client-supplied, unauthenticated registration and likely unauthenticated identity assertion enable spoofing, rogue agent creation, and erosion of the trust model behind ownership and scope enforcement.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The UI selects an `all`-scope agent if available, but otherwise falls back to any registered agent and still calls the broad `/lists` endpoint with that agent's ID. If the backend trusts the `X-Agent-Id` header or has inconsistent authorization, this can expose cross-agent list data and normalize privilege confusion in the client. In this skill context, the interface is explicitly an admin-like multi-agent task manager, so mishandling agent scope is more dangerous because it can leak data between tenants or agents.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad, generic terms such as "todo," "my tasks," and "show me the list," which can easily match ordinary conversation unrelated to this skill. That increases the chance of unintended invocation, causing the agent to read from or modify persistent task data or contact the configured remote API without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists configuration under the user's home directory and tracks registration state, but the description does not warn the user that local files will be created and updated. This can surprise users, create unnoticed persistence across sessions, and complicate incident response or privacy expectations on shared systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
On first registration, the skill sends identifying data including agent_id and display_name to a remote endpoint, yet the skill description does not provide a privacy warning or obtain explicit consent. This is risky because users may not realize that local identity metadata is being transmitted to an external service, potentially over plain HTTP as shown in the example.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs agents to store 'conversation context' in a free-text notes field, which creates a retention path for potentially sensitive user data without any minimization, consent, or privacy guidance. In an agent system, conversation context often contains personal, confidential, or security-relevant information, so normalizing this storage behavior increases the chance of unnecessary collection and later disclosure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation encourages storing conversation context in `notes` without any warning about sensitive data, retention, or minimization. Because agent conversations may contain secrets, personal data, or internal links, this creates a realistic risk of privacy leakage and unnecessary persistence of sensitive information in a shared task system and UI.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly tells operators to bind both the API and UI to 0.0.0.0, making them reachable from the network, but it does not pair that guidance with clear warnings about authentication, access control, TLS, or the privacy implications of exposing agent-facing infrastructure. In this context, the service is intended for agents and human oversight, so accidental broad exposure could enable unauthorized access, data leakage, or misuse if deployed on an untrusted network.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The administrative agent-management endpoints have no authentication or authorization at all, so any caller can list, create, modify, or delete agents. Because agent identity and scope drive access control for the rest of the API, an attacker can create or alter agents to gain broader access or disable legitimate identities entirely.

Ssd 3

Medium
Confidence
94% confidence
Finding
Using a natural-language notes field to retain conversation context creates a broad, unstructured sink for user-provided data that is difficult to sanitize, review, or constrain. Because the API also supports broad read access under 'all' scope, this retained context may become visible beyond the original interaction boundary, increasing privacy and data exposure risk.

Session Persistence

Medium
Category
Rogue Agent
Content
# Claw-List

Manage todo lists via a central API. Trigger on: "the list", "show me the list", "todo", "add task", "add to my list", "mark done", "mark complete", "what's due", "my tasks", "create a list".

## Config
Confidence
86% confidence
Finding
create a list". ## Config Check env vars first: `CLAW_LIST_AGENT_ID`, `CLAW_LIST_URL` (set via openclaw.json skills.entries for multi-agent setups). If env vars not set: read `~/.openclaw/skills/cl

Tool Parameter Abuse

High
Category
Tool Misuse
Content
All requests require header `X-Agent-Id: {AGENT_ID}`. Base URL from `CLAW_LIST_URL`.

Lists: `GET /lists` · `POST /lists {"name":"..."}` · `DELETE /lists/{id}`

Items: `GET /lists/{id}/items` · `POST /lists/{id}/items` · `PUT /items/{id}` · `DELETE /items/{id}`
Confidence
88% confidence
Finding
DELETE /lists/{id}`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Lists: `GET /lists` · `POST /lists {"name":"..."}` · `DELETE /lists/{id}`

Items: `GET /lists/{id}/items` · `POST /lists/{id}/items` · `PUT /items/{id}` · `DELETE /items/{id}`

Item fields: `title` (required on create), `notes`, `priority` (1–5), `due_date`, `category`, `done`.
Confidence
90% confidence
Finding
DELETE /items/{id}`

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal