Clawface

Security checks across malware telemetry and agentic risk

Overview

This avatar chat skill is coherent in purpose, but it exposes broad credential-backed OpenClaw gateway access through a local web server with weak scoping controls.

Review before installing or running. Use this only if you trust the publisher and are comfortable giving the local avatar page broad OpenClaw gateway authority while the Node server is running. Prefer a restricted token or dedicated identity if available, access it only from a trusted browser and network, and stop the Node process when finished. VirusTotal was pending and did not drive this verdict.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly performs network operations: it serves an HTTP page locally, opens a WebSocket connection to a gateway, and proxies browser traffic upstream, yet no permissions are declared. This creates a transparency and policy-enforcement gap where users or platform controls may underestimate the skill's capabilities, especially because it also handles authentication material server-side.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description presents the skill as merely serving a local web page, but the documented startup command also connects to an authenticated gateway, uses a gateway token and device identity file, proxies chat/control traffic, exposes additional local APIs, and executes an external TTS runtime. This mismatch is dangerous because it conceals sensitive authentication and proxy behavior behind an apparently harmless UI skill, reducing informed consent and increasing the chance that a high-privilege skill is approved or run without adequate scrutiny.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The skill advertises a local web UI, but the code also upgrades browser WebSocket connections and transparently proxies them to a remote gateway while performing authenticated operator login with device credentials and gateway tokens. This meaningfully expands the trust boundary and can let any local page/user that reaches the server ride a privileged authenticated session, which is dangerous because the browser is insulated from the credential handling and the manifest does not clearly disclose this remote control capability.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The /tts endpoint accepts arbitrary POST input and invokes an external TTS binary, which is functionality not disclosed by the skill description and increases attack surface. Although execFile avoids shell injection, exposing process execution over HTTP can still enable denial of service, unsafe use of local resources, and unexpected binary execution paths if the tools directory is attacker-controlled or the endpoint is reachable by untrusted local pages.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation materially exceeds the declared skill purpose. Instead of only starting a local avatar web UI, the code contains a chat client, WebSocket message handling, server-driven assistant responses, and a /tts HTTP workflow, which creates a significant transparency and trust violation for users and reviewers. In the context of a skill advertised as local-only UI startup, hidden networked chat/TTS behavior increases the risk of undisclosed data transmission and misuse.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code establishes a WebSocket connection using a configurable wsUrl, sends chat/session requests, and processes server events even though the skill is described as merely serving a local page. This creates an undocumented remote communication channel that can transmit user prompts, session identifiers, and assistant content off-host, undermining user expectations of a local-only UI. The mismatch makes the behavior more dangerous because operators may deploy or approve it under a false assumption of no networked data exchange.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code sends assistant text to a /tts endpoint and automatically decodes and plays returned audio, which is functionality beyond the declared narrow purpose of starting a local web UI. Even if /tts is same-origin, it still represents additional processing and data transfer of conversation content that users were not clearly told would occur. In this skill context, undisclosed TTS makes the implementation broader and less trustworthy than advertised.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The code performs a POST to /tts with conversation text and then plays audio without any visible consent, warning, or disclosure in the analyzed code path. While this is not microphone capture, it is still an audio-related network action involving user-derived content, and the absence of user-facing notice is problematic. In a skill marketed as a local avatar UI launcher, silent transmission of text for speech synthesis is more concerning because users are less likely to expect it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal