ClawHub
Back to plugin

Security audit

NovoLens

Security checks across malware telemetry and agentic risk

Overview

This plugin appears purpose-built rather than malicious, but it gives a remote bridge and LLM-driven remediation path too much local authority for automatic installation without careful review.

Install only if you trust the NovoLens bridge operator and want the security-fix features. Review or disable automatic remediation where possible, avoid exposing NOVOLENS_QR_HOST beyond loopback, treat any printed API key or binding URL as secret, and use a least-privileged OpenClaw account with backups before enabling remote security fixes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (45)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The README explicitly states the plugin requires dangerous installation flags because it uses child_process and performs security scanning, auto-remediation, and QR rendering via shell-executed helpers. Even if intended as product functionality, combining a messaging bridge with local shell-capable remediation materially increases attack surface and the blast radius of any compromise or misconfiguration.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file presents the channel as a NovoLens WeChat Mini Program, but outbound operations use Telegram Bot API-style endpoints such as /bot<token>/sendMessage, /sendPhoto, and /sendVideo. This mismatch is dangerous because operators may believe data is going to one service while chat content, identifiers, and media are actually sent to a different bridge/API model, creating a strong risk of covert exfiltration or deployment of the wrong integration.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments state that failed-item enrichment should only provide recovery advice, but the shared enrichWithLLM helper calls attemptAutoRemediation, which may execute commands. That means items in a failure path can trigger additional side effects contrary to operator expectations, increasing the risk of unsafe or repeated system changes during error handling. In a security fixer, unexpected command execution in a 'help/advice' phase is especially dangerous because it expands the trusted execution surface.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comments say manual items only request suggestions before early return, but enrichWithLLM('manual') also routes through attemptAutoRemediation, which may execute remediation commands. This breaks the safety boundary implied by 'manual-only' checks and can cause automatic execution for items explicitly categorized as requiring human intervention. In this context, that is risky because manual-only checks include security-sensitive system states where automated commands may be privileged or disruptive.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The wizard maps the `httpPort` input to `parsePollInterval(...)` and stores it as `pollIntervalMs`, so the UI label suggests one setting while the code changes another. This can mislead operators into applying incorrect configuration values, causing unintended behavior and potentially weakening operational controls or troubleshooting assumptions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The setup status output includes `API KEY: ${apiKey}` in user-facing terminal text, exposing the full secret during normal setup and status flows. Any user with terminal access, logs, screenshots, session recordings, or shell history capture could recover the credential and reuse it to impersonate the plugin or access protected services.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file advertises itself as a local-only QR server, but `SERVER_HOST` is configurable via `NOVOLENS_QR_HOST` and can be set to `0.0.0.0` or another non-loopback interface. If that happens, the service exposes the QR page and `/api/qr` to the network, which can leak sensitive binding material and the API key from the local OpenClaw config.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The polling loop accepts remote 'security_fix' commands from polled updates and directly invokes applySecurityFix with attacker-influenced parameters. If the bridge or command channel is spoofed, compromised, or insufficiently authenticated, this creates a remote administrative action path that can change local security posture or system state well beyond message polling.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code intentionally takes commands proposed by an LLM, passes them through a lightweight sanitizer and a second LLM-based judge, and then executes approved commands on the host. Even with a whitelist, this is dangerous because the trust boundary is crossed from model output into system command execution, and the security decision itself partially depends on another probabilistic model rather than a deterministic policy engine.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
For non-PowerShell commands, the code uses execSync(cmd), which invokes a shell and allows shell metacharacter interpretation. If sanitizeCommand or downstream controls miss an edge case, an attacker-controlled or hallucinated command can expand into additional shell actions, leading to arbitrary command execution under the agent's privileges.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code expands a "security fixer" into an LLM-driven remediation engine that can generate and execute system commands via attemptAutoRemediation, which is materially more powerful than the surrounding config-edit workflow suggests. Because the command set is derived from model output and then applied to the host, any prompt manipulation, model error, weak allowlist, or unsafe executor behavior could lead to arbitrary or harmful local changes, privilege abuse, or persistent system misconfiguration.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The setup status output includes the full configured API key in a status line and the completion flow also prints secrets back to the terminal. This creates an unnecessary credential disclosure channel through logs, screenshots, terminal scrollback, shared sessions, or support captures, which can lead to account compromise if the API key is reused by an attacker.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The completion note explicitly echoes the full API key after configuration, exposing a stored credential beyond what is necessary to complete setup. Anyone with access to the console, shell history capture, CI logs, remote terminal session, or screenshots can recover the secret and impersonate the user or service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README says the plugin periodically uploads locally aggregated monitoring snapshots to a remote bridge, but it does not clearly disclose what user, agent, system, or session metadata is transmitted. In a local agent plugin context, silent telemetry export is security-relevant because it can expose sensitive operational data, conversation metadata, or system status to an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The media send path accepts arbitrary local paths when mediaUrl is not HTTP(S), resolves them, loads the file, and uploads the contents to a remote bridge. If an attacker can influence mediaUrl, this enables local file exfiltration from the host running the plugin, which is far more severe than a mere disclosure issue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The QR login flow embeds bindCode or apiKey-derived binding material into a QR target and exposes the base binding URL in the returned message, while the wait flow polls bind status using that same target. If bindCode is absent, using the apiKey itself as binding material risks credential exposure through QR display, logs, screenshots, or interception of the binding URL.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code logs identifiers and message metadata including accountId, openid, chatId, chatType, needReply, and sessionKey. These values can expose personal data and internal correlation identifiers to operators, log processors, or anyone with log access, creating a privacy and data-handling risk even if the logging was added for debugging or observability.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API key is embedded directly into the request URL, which is dangerous because URLs are commonly logged by servers, proxies, monitoring tools, browser/dev tooling, and error messages. Although the colon is percent-encoded, that does not protect the secret; it still exposes credentials to any system that records request URLs, increasing the chance of credential leakage and unauthorized use of the reporting endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends detailed host context and remediation data to an LLM, including OS, Node.js version, config path, check details, and attempted action messages, without any visible consent, minimization, or redaction in this component. That creates a real data-exposure risk because local environment details and potentially sensitive configuration paths or failure messages may be transmitted to an external model service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This file explicitly executes LLM-generated remediation commands via execSync/execFileSync after only whitelist and LLM-judge checks, but there is no user-facing confirmation at the execution point. Because the commands are derived from scan data and model output, a prompt-injection mistake, whitelist bypass, or overly broad allowed command could cause unauthorized system changes without the user's informed consent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The telemetry call records outbound delivery details including full message text, account identifiers, API key context, media kinds, and error information to a store prepared by prepareTelemetryStore. Persisting conversational content and identifiers for telemetry increases the blast radius of any local compromise, log exposure, or unintended access to the telemetry store, especially because message text may contain secrets or personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code transmits agent profile data, session counts, and raw behavioral summaries to an external bridge endpoint via HTTP POST, but this file shows no user-facing notice, consent check, or policy gate before sharing telemetry-derived data. Even if the endpoint is legitimate, silent export of behavioral data increases privacy and compliance risk, especially when bridgeUrl is configurable and rawSummary may contain sensitive operational details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The behavioral summary is sent into a runtime/gateway analysis flow without any visible disclosure that locally collected telemetry is being shared with another processing component. This creates a data handling risk because the summary text may include sensitive behavioral or operational signals, and the downstream gateway may invoke external or separately governed model infrastructure.

Missing User Warnings

High
Confidence
99% confidence
Finding
This line directly places the full API key into setup/status terminal output without masking or warning. In setup contexts, terminal output is often broadly visible or logged, so this creates a straightforward secret disclosure risk with low effort required for abuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The completion note prints `API Key: ${apiKey}` in cleartext after setup. Completion screens are especially likely to be copied, screenshotted, or retained in logs, so exposing a live credential here significantly increases the chance of credential theft and unauthorized reuse.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal