ClawHub

OpenClaw Token Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real token-monitoring dashboard, but it exposes sensitive usage history and control endpoints through an unauthenticated network service.

Review before installing. Use this only on a trusted machine or bind it to localhost/firewall port 3000; avoid shared networks. Be aware it permanently stores token/session usage history, exposes unauthenticated APIs, and relies on third-party runtime assets and an undeclared `/tmp` dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The page imports executable JavaScript and fonts from public CDNs at runtime, which creates a supply-chain and privacy risk: a compromised CDN, tampered dependency, or restrictive network environment can affect the dashboard without any change to the skill itself. This is relevant in a token-monitoring panel because the page also fetches internal usage data; any third-party script loaded into the page would execute with access to that data and the user's browser context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The /api/config endpoint allows any network client to change POLL_INTERVAL without authentication. Because the server binds to 0.0.0.0 and does not verify origin or caller identity, an attacker on the reachable network can slow monitoring, increase resource consumption, or destabilize the process by forcing very frequent polling.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dashboard exposes current snapshot and history data to any origin with Access-Control-Allow-Origin: * and the server listens on all interfaces. This makes token usage, session metadata, model names, and timing information accessible to any reachable web page or network client, creating an unnecessary information disclosure surface.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger conditions are broad enough to match ordinary requests about token usage or trends, which can cause the skill to activate in contexts where the user did not intend persistent monitoring or dashboard exposure. In a system that stores data indefinitely and starts a local or network service, overbroad activation increases privacy and surprise-risk even if the core functionality is legitimate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation states that token monitoring data is written to a SQLite database and retained permanently, but it does not clearly warn users about the privacy implications of indefinite storage. Usage histories and session-level token details can reveal behavioral patterns, workload timing, and potentially sensitive operational metadata if accessed by other local users or exposed through the dashboard.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Multiple endpoints expose historical and real-time session usage data, including session keys, models, token counts, and activity timing, with no access control or user warning. In the context of a token-monitoring skill, this is especially sensitive because it can reveal operational patterns, active sessions, and cost/usage intelligence to anyone on the network.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal