ClawHub

OpenClaw Dashboard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw monitoring dashboard, but it exposes sensitive local agent sessions, memory, and logs over an unauthenticated LAN-accessible server.

Install only if you are comfortable with the dashboard reading and displaying private OpenClaw sessions, memory files, costs, project data, and logs. Run it only on a trusted machine and trusted network, avoid exposing port 3721 beyond localhost unless you add access controls, and stop the server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises monitoring features but declares no permissions while static analysis indicates environment-access capabilities. Missing permission disclosure undermines informed consent and can hide access to sensitive local configuration, tokens, or paths that may be exposed through the dashboard backend.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a strong true positive because the declared purpose frames the skill as a dashboard, but the implementation reportedly reads and exposes memory files, agent identity/state documents, raw logs, live log streams, and separate session usage logs. That creates a substantial risk of sensitive data exposure, since these sources commonly contain prompts, credentials, internal notes, filesystem details, and conversation history far beyond what a typical monitoring dashboard description implies.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /api/session/:agentId/:file endpoint returns full parsed session events, which can include raw user prompts, assistant outputs, and embedded usage/context data. In this dashboard’s context, those session files likely contain highly sensitive operational data, so exposing replay contents over HTTP materially increases the blast radius of any local or network access to the dashboard.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The /api/log endpoint exposes raw gateway.log content and /api/events streams new log lines live over SSE. Logs commonly contain prompts, tokens, errors, paths, internal state, and other sensitive telemetry, so broad log access goes beyond simple monitoring and can leak secrets or operational details to anyone who can reach the service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly advertises browsing local memory files, session history, and live logs from the user's `~/.openclaw/` directory, but it does not warn that these sources may contain secrets, prompts, credentials, personal data, or other sensitive operational context. In a monitoring dashboard context, normalizing in-browser access to such data increases the chance of accidental exposure through the UI, screenshots, demos, shared machines, or insufficient access controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description highlights memory browsing, session replay, and live logs without warning that these features may surface sensitive local data and historical conversations. In a monitoring skill, that omission is especially dangerous because users may install it expecting harmless visualization, not broad access to private agent memory and logs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The server binds to 0.0.0.0 and exposes numerous endpoints that return local agent state, memory files, session history, activity, projects, and logs, yet there is no authentication, authorization, or access control anywhere in the file. In the context of an OpenClaw monitoring dashboard, this means anyone with network reach to the host may be able to enumerate and exfiltrate highly sensitive local data, making the skill context significantly more dangerous than a typical low-sensitivity dashboard.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal