Censgate OpenClaw Redact

Security checks across malware telemetry and agentic risk

Overview

This plugin appears to do what it advertises, but it should only be used with a trusted Redact API endpoint because prompts and tool parameters may be sent there.

Install only if you are comfortable sending potentially sensitive prompts and tool parameters to the configured Redact API. Keep the endpoint local or controlled by your organization for sensitive workflows, avoid audit-only mode when you need actual redaction, and enable Docker auto-start only with a trusted image and host configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: This is a real data exposure issue. In `audit-only` mode, the function sets `placeholder` to `originalValue`, which means sensitive data is emitted unchanged even though the surrounding logic and comment imply a safer handling mode; a caller expecting redaction or masked audit output could inadvertently log, display, or forward secrets/PII. The skill context increases risk because this file is specifically a redaction component, so consumers are likely to trust it to protect sensitive content.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This function forwards arbitrary input text to a remote HTTP analysis client via `client.analyze(text)`. If the caller passes sensitive content, the code causes data to leave the local trust boundary without any indication here of consent, minimization, locality guarantees, or safeguards, creating a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The client sends arbitrary input text to a remote endpoint via POST, which creates a real privacy and data-handling risk if callers pass sensitive content without clear disclosure or consent controls. In this file there is no mechanism for local-only processing, user acknowledgment, data minimization, or restriction on where the configured endpoint points, so the danger depends heavily on how the skill is exposed and what text it processes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This plugin sends user message content and tool-call parameters to an external HTTP-based redaction service before forwarding prompts onward. Even though the purpose is privacy protection, transmitting potentially sensitive content to a third-party service creates an additional data exposure boundary, and this file provides no user-facing notice, consent flow, or apparent restriction on what may be sent.

Known Vulnerable Dependency: openclaw==2026.4.20 — 10 advisory(ies): CVE-2026-44116 (OpenClaw validates Zalo outbound photo URLs through the SSRF guard); CVE-2026-45003 (OpenClaw: Workspace dotenv files cannot override connector endpoint hosts); CVE-2026-44113 (OpenClaw: OpenShell FS bridge reads pin and verify the opened file before return) +7 more

High

Category: Supply Chain
Confidence: 97% confidence
Finding: openclaw==2026.4.20

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal