ClawHub

MLflow Tracing

Security checks across malware telemetry and agentic risk

Overview

This MLflow tracing plugin does what it advertises, but it can export and store sensitive prompts, outputs, tool data, and identity metadata without enough disclosure or redaction controls.

Review before installing. Use this only with a trusted MLflow server and avoid enabling it in environments where prompts, tool outputs, files, credentials, personal data, or proprietary content may appear in agent runs. Prefer disabling it unless you have redaction, access control, and retention policies in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that the plugin automatically traces OpenClaw agent executions, including LLM calls, tool invocations, and sub-agent spans, but it does not clearly warn that prompts, outputs, tool inputs/outputs, or other potentially sensitive operational data may be captured and stored in MLflow. In an observability plugin for agent systems, this omission can lead operators to enable tracing without understanding the privacy and data-governance implications, increasing the risk of unintentional collection of secrets, personal data, or proprietary content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This service exports user prompts, conversation history, model outputs, and session/user metadata to an external MLflow tracking backend. In an agent/plugin context, those fields can contain secrets, personal data, internal instructions, or regulated content, and there is no evidence in this file of consent, opt-in, minimization, or redaction before transmission beyond limited marker stripping.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Tool parameters and results are captured and sent to MLflow, and these commonly contain especially sensitive material such as API inputs, file contents, command output, tokens, database rows, or secrets retrieved by tools. In an agent skill, tool I/O often has broader system access than plain chat text, so exporting it externally significantly increases confidentiality risk and blast radius.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The service attaches environment-derived/user-identifying metadata such as process.env.USER and session identifiers to MLflow traces. While lower impact than full content export, this still leaks host/operator identity and enables correlation of sessions and users across systems without any visible disclosure or minimization in this file.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The plugin explicitly exports LLM traces to an MLflow server, but the description and UI help text do not warn that prompts, outputs, metadata, or other potentially sensitive trace data may be transmitted to an external endpoint. This creates a real transparency and data-leakage risk because users may enable tracing without understanding that conversational or operational data could leave the local environment.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal