Contextui
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: contextui Version: 1.0.7 The skill bundle is classified as suspicious due to several vulnerabilities and high-risk capabilities. The `scripts/exchange.sh` file contains a shell injection vulnerability in its `comment` function, where user-provided body text is directly interpolated into a JSON string without proper sanitization. Additionally, a discrepancy exists between the `SECURITY.md` and `references/server-launcher.md` regarding Python backend network binding: while documentation states `localhost` (127.0.0.1), the example code in `server-launcher.md` shows `host="0.0.0.0"`, potentially exposing local Python servers to the entire network. Furthermore, the skill grants the AI agent broad, high-risk capabilities, including arbitrary file reading (`read_workflow`), arbitrary local code execution (`python_start_server`, `launch_workflow`), and the ability to connect to external MCP servers via shell command execution (`connect_mcp_server`), which significantly increases the attack surface for prompt injection against the agent, allowing it to misuse these powerful tools.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workflow backend could be reachable by other devices on the local network, and browser pages may be able to call it if the OS firewall allows access.
This is presented as the standard Python backend pattern, but it permits any browser origin and binds the server to all network interfaces instead of localhost.
app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["*"], allow_headers=["*"]) ... uvicorn.run(app, host="0.0.0.0", port=port)
Change generated backends to bind to 127.0.0.1 by default and restrict CORS to the ContextUI app or localhost origins unless the user explicitly chooses network exposure.
Using this skill may install Python packages and run local backend processes for workflows.
The skill documents local package installation and starting Python backend servers, which is expected for ContextUI workflows but still executes local code and installs dependencies.
Python detection → venv selection → GPU detection → package installation (GPU-aware) → server start/stop → connection polling
Review package lists and backend code before installing dependencies or starting servers, especially for workflows from third parties.
If you provide an API key, the agent may be able to publish, update, comment, like, download, or delete marketplace resources depending on account permissions.
The optional Exchange API key is purpose-aligned for marketplace publishing and downloads, but it lets the agent act as the user's ContextUI Exchange account.
All requests require the key in the Authorization header: Authorization: Bearer ctxk_your_key_here
Only provide the API key when needed, prefer least-privilege or revocable keys if available, and manually approve publishing, deletion, billing, or account-changing actions.
The behavior depends partly on external local ContextUI/MCP files that are not fully represented in the supplied artifact text.
Important helper code for dependency installation and server control is referenced from the local ContextUI installation rather than included in the skill artifacts reviewed here.
Always copy `ui/ServerLauncher/` from `examples/KokoroTTS/ui/ServerLauncher/` ... The source code is maintained in the canonical location. Do not embed copies in documentation
Use a trusted ContextUI installation and review the referenced ServerLauncher/MCP code before relying on it for package installation or server execution.
The agent may be able to see UI contents and perform clicks or typing inside ContextUI during workflow testing.
The MCP tool surface can observe and interact with the ContextUI app window, which is central to testing workflows but can expose visible UI content to the agent.
ui_screenshot — Capture a screenshot of the current workflow or app window ... ui_get_dom — Get the DOM tree structure of the current workflow ... ui_type — Type text into an input field
Avoid displaying sensitive information in ContextUI while the skill is active, and review UI automation actions before allowing them on important workflows.