ClawHub
Back to skill

Security audit

Paw Chat

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw web chat/admin UI, but it stores a powerful Gateway token in the browser and exposes agent-editing and scheduled-task controls without enough warning.

Install only if you trust the publisher, the hosted page or local files, the browser profile, and the Gateway endpoint. Treat the Gateway token like a password, avoid shared or untrusted machines, clear browser site data when done, and use the agent-file editor or scheduled-task controls only if you intend to grant this UI admin-level influence over future OpenClaw behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as a Paw installer/web-chat frontend, but this code also provides a full agent file editor for IDENTITY.md, SOUL.md, and USER.md via agents.files.get/set. That substantially expands the trust boundary: a user invoking a seemingly narrow UI skill can modify agent behavior and stored persona/configuration, which may alter future system behavior and expose sensitive operational capabilities.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This frontend also includes cron job management, including listing, creating, updating, running, and deleting scheduled tasks, which is unrelated to simply installing or using Paw as a chat frontend. That creates unexpected privileged automation capabilities under an innocuous skill description and can be abused to persist actions or trigger agent operations later without direct user awareness at execution time.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can read and overwrite agent identity, soul, and user profile markdown files through agents.files.set without that capability being justified by the skill's stated purpose. These files influence agent persona and behavior, so unauthorized or unexpected edits could manipulate future responses, operational instructions, or stored user context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code exposes broad cron controls: cron.add, cron.update, cron.run, and cron.remove. In context, that allows this chat UI to create persistent scheduled agent executions and trigger them on demand, which exceeds the expected scope of a frontend installer/chat interface and could be used for stealthy or recurring actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to run a command that prints the Gateway authentication token to the terminal, but it provides no warning that the value is sensitive or should be handled carefully. In a skill specifically meant to set up a web chat frontend, this increases the chance users will copy, paste, screenshot, or store the token insecurely, potentially enabling unauthorized access to the OpenClaw Gateway.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell the user to retrieve an authentication token from ~/.openclaw/config.yaml and paste it into the web UI without any warning that it is a sensitive secret. This creates a real risk of credential exposure through shoulder surfing, browser storage, screenshots, logs, or accidental sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Gateway auth token is stored in localStorage, which persists across sessions and is accessible to any JavaScript running in the same origin. If the origin is ever compromised by XSS or another injected script, the token can be stolen and reused to access the Gateway.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.