ClawHub

OpenClaw Viz

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw dashboard, but it exposes sensitive local agent data and powerful control actions without effective access controls.

Use only in an isolated local environment, and do not expose the server to a LAN or the internet. Before operational use, add real authentication and authorization, bind to localhost by default, restrict cluster URLs, protect or avoid stored tokens, regenerate lockfiles from HTTPS registries, and assume the dashboard can read/export local OpenClaw conversations and run OpenClaw control commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The cluster discovery and health-check endpoints let the server probe local and network-accessible hosts, effectively exposing SSRF-style network reconnaissance capabilities from the application. In this dashboard context, that is broader than passive visualization and can be abused to map internal services or trigger authenticated outbound requests to attacker-controlled URLs.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The code executes shell commands such as ps, journalctl, uptime, free, and df to inspect the local system and processes. Even without direct user-controlled command injection at this location, exposing this level of host introspection to API consumers increases attack surface and leaks operational details that are unnecessary for a minimally scoped visualization service.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The service exposes direct control actions for users, policies, replay, audit export, clusters, and authentication-related configuration without real authentication enforcement on sensitive routes. In a monitoring UI, these operational controls materially increase risk because an unauthorized caller can alter system behavior, cluster configuration, or access sensitive data rather than merely observe status.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The 'immutable audit' mechanism is not actually tamper-evident because it stores records and their verification hashes in the same writable local file using a non-cryptographic hash. An attacker who can modify the file can recalculate hashes and rewrite history, creating a false sense of forensic integrity.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The advertised auth/SSO flow is insecure because /api/auth/login mints a token directly from user-supplied userId, name, and role, and token verification does not validate any real signature. This means any client can self-assert identity and privilege, resulting in trivial authentication bypass and privilege escalation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that the dashboard reads from `~/.openclaw/agents/` and `~/.openclaw/cron/`, which likely contain agent transcripts, prompts, logs, and other sensitive operational data, but it does not warn about confidentiality or least-privilege handling. In a multi-agent observability and intervention tool, this omission increases the risk that operators deploy it without understanding the privacy and security implications of exposing local session data through a web UI.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The lockfile pins package downloads to an unauthenticated HTTP mirror (mirrors.tencentyun.com), which allows a network attacker or compromised mirror to tamper with package tarballs in transit. Although npm integrity hashes provide some protection, using HTTP still weakens supply-chain trust, can leak dependency metadata, and creates avoidable risk if integrity checks are bypassed, disabled, or inconsistently enforced in tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The UI triggers '/api/clusters/discover' to scan the local network and even displays 'Scanning ports and DNS...', but it does not provide meaningful notice about what hosts or ranges may be probed, what data is collected, or the privacy and policy implications. In an agent/admin tool context, silent network discovery can surprise users, violate internal security expectations, and expose the application to misuse as a network reconnaissance feature.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The component accepts and persists cluster connection details through addCluster(form.name, form.url, form.token) without telling the user where URLs and tokens are stored, how long they are retained, or whether they are protected. Because the data includes optional authentication material, lack of disclosure and handling safeguards can lead to accidental credential exposure or insecure storage of sensitive infrastructure endpoints.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Allowing a raw authentication token to be copied to the system clipboard increases the chance of credential exposure through clipboard history, clipboard-sync services, other local applications, or accidental pasting into chats and terminals. In this skill context, the danger is elevated because the token is explicitly surfaced in the UI and tied to local JWT authentication, making session theft possible if the token is reused elsewhere.

Vague Triggers

Low
Confidence
98% confidence
Finding
The lockfile pins package tarball URLs to plain HTTP mirrors (for example, mirrors.tencentyun.com), which permits man-in-the-middle tampering of dependency downloads if the registry or network path is compromised. While integrity hashes provide some protection, using unauthenticated transport for package source metadata is still a supply-chain risk and can also break trust assumptions in tooling and build environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Session history, replay, and export endpoints expose message contents, tool results, timestamps, and metadata from agent conversations. In this operational dashboard, that can leak sensitive prompts, outputs, secrets, or personal data to any caller because the routes are not protected by effective authentication or disclosure controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The health-check logic sends stored bearer tokens in Authorization headers to cluster URLs configured through the application. If an attacker can register or modify a cluster URL, they can cause credential disclosure to arbitrary external endpoints, turning monitoring into a token exfiltration path.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The Google callback generates a token with the role field set from userInfo.email, so the role is derived from an arbitrary identity string rather than a controlled role mapping. Because permission checks trust token role values, this breaks authorization semantics and can produce undefined or unsafe access behavior.

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal