ClawHub

Emperor Claw OS

Security checks across malware telemetry and agentic risk

Overview

This plugin’s bridge purpose is clear, but its setup grants persistent local execution and broad Emperor API authority with under-scoped secret handling and remote code execution during bootstrap.

Install only if you trust the publisher and the configured Emperor API host to deliver executable code. Use a narrowly scoped, revocable token, expect a persistent local bridge service, review the companion directory and .env permissions, and rotate the token if the bridge has already exposed it to model prompts or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (29)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The bootstrap downloads `control-plane.js` from a remote server and later executes it with Node, giving the remote endpoint code execution on the local machine during installation. There is no signature verification, pinning, checksum validation, or trust boundary enforcement, so compromise of the API server, DNS/TLS interception, or a malicious operator would directly become arbitrary code execution.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
This code invokes local executables (`npm`, `node`, and the OpenClaw CLI) as part of bootstrap, which expands the attack surface and allows environment-dependent execution of untrusted or substituted binaries. While `execFile` avoids shell injection in most paths, the behavior still permits powerful local code execution and package installation without strong validation of binary location or user approval.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bootstrap writes startup scripts and a persistent user service that automatically restarts, establishing long-lived execution on the host. Persistence is a high-risk capability for an install flow, especially when paired with remote-downloaded code and stored credentials, because it survives user sessions and can maintain ongoing control or data access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The bootstrap uses the supplied token to create/update shared resources and patch remote agent profiles, which is an administrative action against the remote Emperor service. In context this may be part of expected setup, but it is still security-relevant because it changes server-side state and could be abused if the token scope is excessive or if the bootstrap runs unexpectedly.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file header claims the bridge does not implement execution logic, but the runtime can claim tasks, assign tasks, create projects/tasks, write notes/results, send messages, and mutate control-plane state. This mismatch is dangerous because operators and downstream reviewers may trust the component as a passive adapter while it actually has broad write capabilities, increasing the chance of unsafe deployment and over-privileged use.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The bootstrap downloads `control-plane.js` from a remote server and immediately writes it into the runtime directory, after which the file is executed by `runControlPlaneBootstrap`. HTTPS alone does not provide code integrity or publisher authenticity against server compromise, malicious API endpoints, or TLS-intercepting enterprise environments, so this is effectively remote code execution through the update/bootstrap path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly documents persistent JSONL and fallback log files in per-agent companion directories, including lifecycle, routing, ownership, and invocation metadata, but does not warn about retention, access control, or the sensitivity of operational metadata. In an agent bridge that handles messaging and local brain invocation, such logs can expose thread relationships, agent identifiers, failure states, and debugging context that may aid lateral movement, surveillance, or incident reconstruction by unauthorized local users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI requires a bearer token via the `--token` argument for `add-agent`, which exposes credentials through shell history, process listings, audit logs, and CI/job output on many systems. Even though this is common in quick CLI tooling, it creates a real secret-handling weakness because anyone with local visibility into the host can recover the token and use it for authenticated API access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `rebind-threads` command takes a bearer token on the command line and uses it to fetch thread and message metadata from a remote API, including conversation ownership signals. This combines secret exposure risk with potentially sensitive remote metadata access, and the command provides no explicit disclosure or confirmation that it will contact the remote service and inspect conversation data.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The API token is written into a plaintext `.env` file inside the companion directory, where local users, backups, logs, or other processes may access it depending on filesystem permissions. Because the same token is then used by persistent scripts and services, compromise of that file can lead to unauthorized access and continued control over the remote service.

Missing User Warnings

High
Confidence
96% confidence
Finding
At this point in the bootstrap flow, the code installs runtime dependencies and elsewhere downloads runtime code without any visible warning or consent mechanism in this file. Silent dependency installation plus remote/runtime execution creates a high-risk supply-chain path that users may not reasonably expect during a skill install.

Missing User Warnings

High
Confidence
97% confidence
Finding
The bootstrap creates and restarts a persistent service without a visible warning in this file, meaning installation implicitly changes host startup behavior. Undisclosed persistence is dangerous because users may not realize the bridge will continue running, reconnecting, and using stored credentials after the initial install completes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code creates parent directories and writes a modified OpenClaw configuration file automatically, enabling a plugin and adjusting sandbox defaults without any user-facing confirmation or notice. Silent security-relevant configuration changes can violate user expectations, reduce informed consent, and may weaken trust boundaries if this installer runs in an unexpected context or with elevated privileges.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The configuration path is taken directly from the OPENCLAW_CONFIG_PATH environment variable and later used for reading and writing. If an attacker can influence the environment of the installer or agent process, they may redirect configuration access to arbitrary filesystem locations, leading to unintended file overwrite, tampering, or persistence in external config files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The helper unconditionally creates parent directories and overwrites the target file with caller-controlled content, with no prompt, backup, existence check, or audit trail. In an installer/bootstrap context this can silently destroy prior workspace state or replace trusted instruction files, which is dangerous because these files influence later agent behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function silently edits an existing AGENTS.md by appending new directives if a heading is absent, without notifying the user that operational rules are being changed. Because AGENTS.md appears to be durable control/instruction material for the agent, undocumented modification of it can alter trust boundaries and agent behavior in a way the workspace owner may not notice.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The section-upsert logic rewrites portions of an existing markdown file in place to inject missing items, again without disclosure, backup, or integrity checks. In this skill's context, those inserted items are persistent behavioral constraints and operational instructions, so silent rewriting of existing sections can materially and covertly change how the agent operates.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt explicitly tells the model that a live bearer token is available and instructs it to use direct API access. Giving an LLM awareness of live credentials materially increases the risk of prompt-injection-driven misuse, exfiltration, or unauthorized state changes, especially because untrusted thread content is fed into the same decision loop.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The doctor command prints the full local configuration with `JSON.stringify(localConfig)`, which can expose sensitive settings such as service endpoints, owner identifiers, or future secrets to terminal history, logs, CI output, or shared support transcripts. Diagnostic commands are often run in troubleshooting contexts where output is copied broadly, so undisclosed full-config emission increases accidental data leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bootstrap persists `EMPEROR_CLAW_API_TOKEN` and other operational settings to a plaintext `.env` file in the companion directory. Any local user, backup system, support bundle, or later process with filesystem access may recover the token and use it to access the remote API as the agent, making this a real credential exposure issue.

Missing User Warnings

High
Confidence
98% confidence
Finding
This code path downloads executable runtime code from `/downloads/control-plane.js`, saves it locally, and the bootstrap later executes it with Node. In an installer/bootstrap context this is especially dangerous because it turns a configurable remote endpoint into a code delivery mechanism without user confirmation, provenance checks, or integrity validation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The doctrine explicitly instructs agents to use a company bearer token from EMPEROR_CLAW_API_TOKEN to make direct network calls to an external MCP API, but the install content contains no accompanying trust boundary warning, consent flow, or data handling disclosure. Because this text is propagated into agent doctrine/resources, it operationalizes outbound authenticated access and increases the chance that prompts or local tooling will transmit sensitive project, customer, task, or artifact data off-host without the user clearly understanding that behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code persistently modifies a user profile/configuration file to enable a plugin and adjust sandbox settings without any user confirmation, notification, or audit-visible disclosure in this file. Silent security-relevant configuration changes can undermine user consent and trust, and in this case they alter plugin allowlisting and execution policy in a way that could expand what code runs under the agent environment.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The code trusts OPENCLAW_STATE_DIR and OPENCLAW_CONFIG_PATH environment variables to choose where security-relevant configuration is read from and written to, with no validation or disclosure. If an attacker can influence the process environment, they may redirect operations to an unintended file, causing silent configuration tampering, confusion, or writes to attacker-chosen locations.

Ssd 3

High
Confidence
100% confidence
Finding
The prompt injects the actual Emperor bearer token into natural-language model context. Because the model also processes untrusted thread messages and can generate arbitrary text/actions, this creates a direct secret-exposure path where the token may be leaked in output, logs, delegated prompts, or used under prompt injection to perform unauthorized API operations.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal