WebChat HTTPS Proxy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local HTTPS proxy for OpenClaw WebChat, with persistent service behavior that users should understand before enabling.

Install this only if you want an always-on local HTTPS/WSS proxy for OpenClaw WebChat. Keep the default localhost binding unless you intentionally want LAN access, and avoid sharing URLs, logs, screenshots, or shell history that contain gateway tokens. Use uninstall.sh or systemctl --user disable --now openclaw-voice-https.service if you no longer need the proxy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Tainted flow: 'key_path' from os.environ.get (line 293, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: return # Safe: fixed argument list, no user input, no shell=True subprocess.run([ "openssl", "req", "-x509", "-nodes", "-newkey", "rsa:2048", "-keyout", str(key_path), "-out", str(cert_path),
Confidence: 62% confidence
Finding: subprocess.run([ "openssl", "req", "-x509", "-nodes", "-newkey", "rsa:2048", "-keyout", str(key_path), "-out", str(cert_path), "-days", "3650", "-subj", "/C

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script alters the user's global OpenClaw gateway configuration by adding an allowed origin and then restarts the gateway, which affects components outside the stated scope of merely deploying an HTTPS reverse proxy. In an agent-skill context, modifying shared config and triggering service restarts without explicit consent can weaken trust boundaries and create unexpected exposure or downtime for other OpenClaw components.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The troubleshooting guidance instructs users to place a gateway token directly in a URL query string and on the command line without warning about exposure risks. Tokens in URLs can leak via browser history, logs, referer headers, screenshots, and proxy/access logs, while CLI arguments may be visible via shell history or process listings, making credential compromise plausible.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently edits the user's OpenClaw JSON configuration file to append a new allowed origin. Even though the value is derived from validated inputs, changing security-relevant config without notice or confirmation is risky because it persists beyond the install and may broaden access to the control UI.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script creates, enables, and starts a persistent user systemd service without any explicit disclosure or consent. Persistent background execution increases attack surface and can surprise users by continuing to listen on a port or restart automatically after login.

Session Persistence

Medium

Category: Rogue Agent
Content: - No telemetry, analytics, or phone-home behavior. ### Persistence - User systemd service starts on boot. Use `uninstall.sh` to fully revert. ## What this skill modifies
Confidence: 82% confidence
Finding: systemd service starts on boot. Use `uninstall

Session Persistence

Medium

Category: Rogue Agent
Content: | What | Path | Action | |---|---|---| | Gateway config | `~/.openclaw/openclaw.json` | Adds HTTPS origin to `gateway.controlUi.allowedOrigins` | | Systemd service | `~/.config/systemd/user/openclaw-voice-https.service` | Creates + enables persistent HTTPS proxy | | Runtime file | `~/.openclaw/workspace/voice-input/https-server.py` | Copies proxy server | | TLS certs | `~/.openclaw/workspace/voice-input/certs/` | Auto-generated self-signed cert on first run |
Confidence: 85% confidence
Finding: Systemd service | `~/.config/systemd/user/openclaw-voice-https.service` | Create

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal