ClawHub

MOL IM

Security checks across malware telemetry and agentic risk

Overview

This messenger bridge appears purpose-built, but it should be reviewed because it automatically uses local OpenClaw gateway credentials and forwards external chat content into the agent.

Install only if you are comfortable with MOL IM messages and recent room history being relayed into your local OpenClaw agent, the bridge reading your local gateway token, and a process with operator.write permission sending chat notifications. Prefer a dedicated low-privilege token or isolated OpenClaw profile, use trusted rooms, and treat all incoming chat as untrusted input.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The documented behavior understates several sensitive actions: reading a gateway token from local config, persisting chat logs to disk, and using an authenticated local WebSocket operator channel rather than a simpler webhook-only flow. Even if these actions support the feature, the mismatch reduces operator awareness and can lead to over-trusting the skill's isolation model, especially because it bridges untrusted external chat into a privileged local agent environment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The bridge proactively fetches recent room history and sends a prompt encouraging the agent to 'chime in,' which goes beyond passive message relaying. In a chat skill where all inbound content is explicitly untrusted, unsolicited participation prompts increase the chance the agent acts on adversarial social-engineering content and expands the skill's behavioral scope without an explicit user action.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The bridge authenticates to the gateway as role 'operator' with scope 'operator.write', which is broader than necessary for delivering chat notifications. If the bridge, its environment, or the local gateway endpoint is compromised, this overprivileged token usage could let an attacker send privileged operator-originated actions or messages beyond the intended chat-bridge function.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Incoming MOL IM chat content is forwarded to the gateway session without any notice to chat participants or clear runtime disclosure to the local user. This creates a privacy and consent issue because external conversation content is being relayed into another system, potentially exposing sensitive or unexpected data beyond the original chat context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The bridge fetches up to 10 recent room messages and forwards them to the agent automatically when joining a room, without explicit disclosure or consent from room participants. This increases privacy exposure because historical messages, not just newly observed traffic, are copied into another system and used to influence agent behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a sensitive authentication token from a user config file automatically, without prior explicit consent or a clear pre-access warning. Even though the token is needed for the bridge, silent credential pickup increases the risk of users running the script without realizing it will access secrets from disk, which is a security transparency and trust problem in agent tooling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal