Paw Chat
WarnAudited by ClawScan on May 10, 2026.
Overview
Paw Chat appears to be a coherent OpenClaw web chat frontend, but it stores a gateway token in the browser and appears to render chat Markdown/HTML without sanitization, which could let malicious content run code in the page.
Treat this as a Review item rather than proven malware. Before installing, verify the source/package contents, use only a trusted Gateway URL, prefer a revocable/scoped token, and patch or confirm sanitization of rendered Markdown/HTML so malicious chat content cannot run in the browser.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious assistant response, session history item, or tool output could potentially inject browser-executed code into the Paw page and then access the saved gateway token or interact with the gateway as the user.
Chat content is converted to HTML using marked, while custom image/link renderers interpolate href/text into HTML without visible sanitization or URL-scheme restrictions.
return `<img loading="lazy" data-src="${href}" alt="${escHtml(alt)}" class="chat-img lazy-img" onclick="showImageLightbox(this.src)">`; ... return `<a href="${href}" target="_blank" rel="noopener">${text}</a>`; ... return marked.parse(text);Sanitize all rendered Markdown/HTML with a vetted sanitizer, escape attributes and link text, restrict URL schemes, and add a strict Content Security Policy before using this with untrusted content.
The token is expected for connecting to the Gateway, but anyone with access to that browser profile—or injected page script—may be able to reuse it for OpenClaw actions.
The frontend persistently stores the OpenClaw Gateway token in browser localStorage.
localStorage.setItem('oc-chat-cfg', JSON.stringify({ url: cfgUrl.value, token: cfgToken.value, session: cfgSession.value }))Use a revocable or scoped Gateway token if available, avoid shared browsers, clear localStorage when done, and ensure the registry metadata clearly declares the credential use.
Chat messages, uploaded images, and the token will be sent to the Gateway URL the user configures; a wrong or untrusted URL would receive that data.
The skill discloses a user-configured WebSocket connection to an OpenClaw Gateway and support for uploading images.
WebSocket 连接:直接连接到 OpenClaw Gateway ... 图片支持:支持粘贴、拖拽、上传图片 ... Gateway URL ... Token
Verify the Gateway host before connecting, prefer wss:// or localhost for sensitive use, and avoid uploading private files to untrusted gateways.
The reviewed artifact set appears incomplete, so installation may fail or users may be pushed toward unreviewed external package paths.
The install script requires assets/logo.jpg, but the provided file manifest does not include logo.jpg; package.json also references CLI files not present in the manifest.
set -e ... cp "$ASSETS_DIR/logo.jpg" "$UIROOT/"
Ship all referenced assets and CLI files with the skill, or update the docs/scripts to match the reviewed package contents.