ClawHub

AGI Farm

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with its multi-agent setup purpose, but its dashboard exposes unauthenticated controls that can read and change workspace and cron state.

Install only if you are comfortable with persistent OpenClaw automation and a browser-accessible dashboard that can expose and change workspace state. Prefer running the dashboard bound to localhost only, behind authentication, and avoid public GitHub export unless you have reviewed the generated files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if path.startswith("/api/cron/") and path.endswith("/trigger"):
                cron_id = path.split("/")[3]
                try:
                    subprocess.Popen(["openclaw", "cron", "run", cron_id],
                                     stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
                    reply({"ok": True, "cron_id": cron_id, "action": "triggered"})
                except Exception as e:
Confidence
95% confidence
Finding
subprocess.Popen(["openclaw", "cron", "run", cron_id], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  [dry-run] {' '.join(cmd)}")
        return True
    try:
        r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
        return r.returncode == 0
    except Exception:
        return False
Confidence
81% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The dashboard exposes multiple unauthenticated POST endpoints that change task state, approve or reject HITL decisions, trigger cron jobs, and toggle cron enablement. Because the HTTP server is created with an empty bind address, it may be reachable from other hosts on the network, turning a monitoring dashboard into an admin control surface without access control.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This endpoint directly edits the global OpenClaw cron configuration under the user's home directory, allowing remote callers to enable or disable jobs without authentication. That can disrupt automation, persistence, monitoring, or scheduled safety checks across the user's environment, not just within the current workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises actions that can modify the user's environment and external resources, including writing workspace files, registering cron jobs, installing frameworks, launching persistent services, and pushing to GitHub, but it does not clearly foreground consent, scope, or side effects. In an agent skill context, this is dangerous because users may treat setup as low-risk documentation-driven automation and unintentionally authorize persistent system changes or remote publication of data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup flow creates a public GitHub repository and pushes the generated bundle without a prominent warning that local workspace contents will leave the machine and become publicly accessible. In a tool that aggregates agents, tasks, personas, logs, and workspace artifacts, accidental publication could expose sensitive prompts, configuration, project context, or proprietary work.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The dashboard section advertises an always-on LaunchAgent and SSE server that continuously watches workspace files and serves live data to a browser, but it does not clearly warn that sensitive workspace content will be exposed over a local HTTP endpoint. Even if bound locally, browser-accessible telemetry and persistent background monitoring increase the attack surface and risk of unintended disclosure to other local users, processes, or browser sessions.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The stylesheet imports Google Fonts from a third-party origin, which causes clients loading the dashboard to make a network request to Google. This leaks user metadata such as IP address, user agent, and timing information to an external service, and may create privacy/compliance issues in internal tooling environments where outbound requests are unexpected.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The dashboard includes state-changing actions with no apparent confirmation, warning, or guardrails, which increases the chance of accidental or silent changes to automation behavior. While this is weaker than the authentication issue, it still creates operational and security risk by making sensitive actions easy to invoke from the UI or via direct HTTP requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code registers persistent cron jobs through `openclaw cron add` with no confirmation prompt other than normal status output. In the context of an agent bootstrap skill that automates setup, silently creating scheduled tasks increases the chance of unintended persistence and background execution beyond what a user expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal