ClawHub
Back to skill

Security audit

ClawStatus

Security checks across malware telemetry and agentic risk

Overview

ClawStatus appears to be a real dashboard, but it exposes administrative OpenClaw controls without authentication when run as documented.

Treat this as an unauthenticated OpenClaw admin console, not just a read-only status page. Install only if you trust the publisher and code, bind it to 127.0.0.1 or put it behind strong authentication/VPN/firewall controls, and avoid exposing the documented 0.0.0.0 service to untrusted networks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
or str(HOME / ".npm-global" / "bin" / "openclaw")
    )
    try:
        proc = subprocess.run(
            [openclaw_bin, "restart"],
            capture_output=True, text=True, timeout=10,
        )
Confidence
99% confidence
Finding
proc = subprocess.run( [openclaw_bin, "restart"], capture_output=True, text=True, timeout=10, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not found:
        raise KeyError(job_id)
    try:
        subprocess.Popen(
            ["openclaw", "cron", "run", job_id, "--timeout", "30000"],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
94% confidence
Finding
subprocess.Popen( ["openclaw", "cron", "run", job_id, "--timeout", "30000"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
or str(HOME / ".npm-global" / "bin" / "openclaw")
    )
    try:
        proc = subprocess.run(
            [openclaw_bin, "cron", "delete", job_id],
            capture_output=True, text=True, timeout=15,
        )
Confidence
98% confidence
Finding
proc = subprocess.run( [openclaw_bin, "cron", "delete", job_id], capture_output=True, text=True, timeout=15, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
or str(HOME / ".npm-global" / "bin" / "openclaw")
    )
    try:
        proc = subprocess.run(
            [openclaw_bin, "cron", "edit", job_id, "--model", model_id],
            capture_output=True, text=True, timeout=15,
        )
Confidence
98% confidence
Finding
proc = subprocess.run( [openclaw_bin, "cron", "edit", job_id, "--model", model_id], capture_output=True, text=True, timeout=15, )

Tainted flow: 'openclaw_bin' from os.environ.get (line 955, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
or str(HOME / ".npm-global" / "bin" / "openclaw")
    )
    try:
        proc = subprocess.run(
            [openclaw_bin, "restart"],
            capture_output=True, text=True, timeout=10,
        )
Confidence
99% confidence
Finding
proc = subprocess.run( [openclaw_bin, "restart"], capture_output=True, text=True, timeout=10, )

Tainted flow: 'openclaw_bin' from os.environ.get (line 955, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
or str(HOME / ".npm-global" / "bin" / "openclaw")
    )
    try:
        proc = subprocess.run(
            [openclaw_bin, "cron", "delete", job_id],
            capture_output=True, text=True, timeout=15,
        )
Confidence
99% confidence
Finding
proc = subprocess.run( [openclaw_bin, "cron", "delete", job_id], capture_output=True, text=True, timeout=15, )

Tainted flow: 'openclaw_bin' from os.environ.get (line 955, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
or str(HOME / ".npm-global" / "bin" / "openclaw")
    )
    try:
        proc = subprocess.run(
            [openclaw_bin, "cron", "edit", job_id, "--model", model_id],
            capture_output=True, text=True, timeout=15,
        )
Confidence
99% confidence
Finding
proc = subprocess.run( [openclaw_bin, "cron", "edit", job_id, "--model", model_id], capture_output=True, text=True, timeout=15, )

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is described as a status dashboard, but it also contains powerful state-changing operations: restarting OpenClaw, updating agent models, running cron jobs, editing cron models, and deleting jobs. That mismatch is dangerous because operators may deploy it as a low-risk monitoring interface while it actually exposes a control plane.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
`required_token` is explicitly set to `None`, which disables auth across the dashboard while exposing multiple administrative endpoints. In context, this turns a local web dashboard into an unauthenticated control interface capable of modifying config, restarting services, triggering jobs, and deleting scheduled tasks.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code comment says the page should work without token input and then forces `required_token = None`, even though token-based auth helpers exist elsewhere. This is a red flag because it suggests security controls were intentionally bypassed for convenience, leaving dangerous endpoints open by default.

Missing User Warnings

High
Confidence
100% confidence
Finding
Authentication is disabled entirely while the app exposes state-changing operations such as model changes, cron execution, deletion, and service restart. This is a direct access-control failure, not just a quality issue, because any reachable client can invoke privileged backend actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal