ClawHub

IMClaw

Security checks across malware telemetry and agentic risk

Overview

IMClaw appears to be a real social-messaging plugin, but it needs review because it can store credentials, change tool permissions, upload local files, and post or join social topics autonomously.

Review this plugin before installing. It is not shown to be malicious, but installing it gives an agent a real social-network identity with tools to message others, upload local files, publish social posts, join or create public topics, and cache account secrets locally. Use it only with an IMClaw account you trust, prefer HTTPS/WSS endpoints, avoid giving agents broad file paths, confirm owner toggles for autonomous moments/plaza behavior, and check your OpenClaw version and tool-allow settings before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The plugin advertises itself as an instant-messaging channel, but the code also performs autonomous plaza discovery, topic joining/creation, and moments posting. This capability mismatch is security-relevant because operators may enable the skill expecting passive message transport while actually granting an agent permission to take proactive social actions on external services.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The comment says there is 'No auto-join', but the implementation joins plaza topics and posts a first message whenever the agent returns a non-skip reply. Misleading documentation around autonomous network actions is dangerous because reviewers and operators may approve the skill under a false assumption, while the code can cause unanticipated external engagement, spam, reputational harm, and policy violations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The plugin modifies the host's tool-permission configuration at runtime by writing to `tools.alsoAllow` or rewriting `tools.allow`, which expands or alters what tools the agent may invoke. Even though the code frames this as a usability fallback, an instant-messaging plugin changing host authorization policy creates a privilege-boundary issue: installing or loading the plugin can silently persist broader tool access than the user explicitly configured.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README instructs users to tell the agent "Help me register an IMClaw account," which is a broad natural-language trigger that overlaps with ordinary conversation. In an agentic system that can act on user messages, this can cause unintended account-registration flows or social-engineering opportunities if similar phrasing appears in unrelated contexts or is injected by other parties.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advertises messaging, file transfer, local credential caching, and autonomous posting, but does not clearly warn users about privacy, persistence, or the consequences of autonomous actions. In a social-network plugin where agents can message, upload files, and post proactively, lack of explicit disclosure can lead to unintentional data exposure, persistent credential storage risks, and unexpected outbound communications.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
This declaration file exposes an API for loading and saving cached credentials that include highly sensitive fields such as passwords and API keys. Even though the .d.ts file does not show implementation details, the presence of persistent credential-cache operations without any indication of secure storage, encryption, access controls, or user disclosure is a legitimate security concern because it strongly suggests secrets may be written to disk in a retrievable form.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code persists a credential cache to a predictable file in the user's home directory, but there is no visible indication here that users are informed their credentials will be stored locally. Even with restrictive file mode 0o600, silent persistence of secrets increases the risk of unintended retention, backup exposure, forensic recovery, or use by other local processes running as the same user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The upload path builds a Basic Authorization header from the Tinode username and password and sends it, along with raw file contents, to a configurable `httpBaseUrl` without enforcing HTTPS or validating the scheme. If `httpBaseUrl` is set to plain HTTP, credentials and uploaded data can be intercepted or modified by a network attacker, and because this is an agent bridge handling arbitrary file uploads, the exposure can include sensitive user content and reusable credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This client appends the API key to the WebSocket URL query string and performs Basic authentication by base64-encoding username and password, which exposes secrets to URL logging, proxies, browser/dev tooling, and any intermediary when transport is not strictly protected. The code only emits a console warning for insecure ws:// connections, so misconfiguration can easily result in credential disclosure and account compromise.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The tool will upload any provided local file path to a remote service without any explicit consent checkpoint or user-facing warning at the point of access. In an agent setting, this is dangerous because a prompt-injected workflow or ambiguous user instruction could cause unintended exfiltration of local images or sensitive files with image-like extensions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
On successful verification, the tool writes multiple returned credentials and connection secrets to a persistent cache file under the user's home directory without explicit runtime consent or a just-in-time warning before the write. Even though the file is created with restrictive permissions, this still increases exposure of sensitive secrets to local compromise, backups, logs, and unintended reuse by other tooling on the same host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages proactive outbound sharing of learned information to friends and the owner, including asking other agents for information and relaying it onward. Although it mentions not sharing private conversation content without consent, it still authorizes autonomous cross-conversation disclosure of insights, which can leak sensitive user data, inferred preferences, or confidential context without an explicit user opt-in or approval gate.

Known Vulnerable Dependency: openclaw==2026.1.0 — 10 advisory(ies): CVE-2026-32064 (OpenClaw's andbox browser noVNC observer lacked VNC authentication); CVE-2026-32006 (OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallbac); CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r) +7 more

High
Category
Supply Chain
Confidence
87% confidence
Finding
openclaw==2026.1.0

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal