ClawHub

Rocketchat Openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Rocket.Chat integration, but it gives agents powerful admin, webhook, slash-command, and local-file upload abilities without enough built-in guardrails.

Install only if you intend to give an OpenClaw agent broad Rocket.Chat authority. Use a least-privilege bot account, avoid admin roles unless necessary, restrict who can message the bot, avoid exposing local-file upload to untrusted prompts, and review any webhook, slash-command, role, room, team, or asset-changing action before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This file is presented as a Rocket.Chat message-actions module, but it exposes a much broader set of privileged operations including role management, room administration, team deletion, webhook creation, asset changes, statistics access, and user/avatar management. In an agent-skill context, this materially expands the attack surface and enables high-impact administrative actions through the same dispatch entrypoint, making accidental misuse or prompt-induced abuse far more dangerous.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header comment claims the module implements message actions, but the code also performs extensive admin and server-management tasks such as deleting channels, managing roles, integrations, assets, and teams. This mismatch can mislead reviewers, operators, or policy layers into granting or approving the skill under a narrower trust assumption than its real capabilities justify.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module header materially understates the skill’s capabilities by claiming only basic messaging actions while the file also exposes many high-impact administrative functions such as channel/team deletion, role changes, integrations, asset changes, and room management. In an agent-skill context, this misrepresentation can cause callers, reviewers, or policy layers to grant the skill broader authority than intended, increasing the chance of unauthorized destructive or administrative actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The messaging function accepts a caller-controlled mediaUrl, treats local paths as valid input, reads the referenced file from disk, and uploads it to Rocket.Chat. That gives this outbound messaging skill arbitrary local file exfiltration capability, which is significantly more powerful than simple message sending and becomes dangerous if untrusted input can reach mediaUrl or mediaLocalRoots.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The permission set grants broad shell execution patterns such as `Bash(grep:*)`, `Bash(curl:*)`, and `Bash(python3:*)`, which allow an agent to supply largely arbitrary parameters to powerful tools. In combination with broad filesystem read access and other command permissions, this creates a practical path to data exfiltration, unreviewed code execution, and environment manipulation well beyond a narrowly scoped skill need.

Vague Triggers

Medium
Confidence
89% confidence
Finding
`WebSearch` is enabled without any domain, query, or purpose constraint, allowing the agent to retrieve arbitrary external content. That broad internet access increases prompt-injection exposure and enables discovery or transmission workflows that are unnecessary for a tightly controlled skill.

Vague Triggers

High
Confidence
98% confidence
Finding
The wildcard permission `Bash(openclaw:*)` gives effectively unconstrained access to a high-privilege CLI, permitting arbitrary subcommands and arguments. Because the same policy also allows reads under `/root/**`, package operations, publishing actions, and network access, an agent could chain these capabilities into code deployment, credential misuse, or destructive system changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide documents multiple destructive and privilege-affecting actions such as delete, channel-delete, kick, and role changes without any safety boundaries, confirmation requirements, or authorization guidance. In an agent-facing skill file, presenting these operations as routine capabilities can lead an autonomous or semi-autonomous agent to perform irreversible or high-impact actions based on ambiguous prompts or prompt injection from chat content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises slash-command execution via run-command as a general utility without warning that slash commands may trigger powerful administrative, integration, or automation behavior. This is dangerous because an agent may execute opaque commands whose effects are not visible from the skill description, enabling privilege misuse, data exposure, or disruptive workspace changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upload action can read arbitrary local files from paths supplied in parameters and transmit their contents to Rocket.Chat. In an agent environment, this creates a direct local file exfiltration primitive if prompts or untrusted inputs can influence filePath/path, especially because path normalization still permits arbitrary absolute paths and home-relative expansion.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The media upload path fetches arbitrary external URLs and then uploads the retrieved content onward, creating a network egress primitive and possible SSRF vector depending on runtime network reachability. An attacker who can control mediaUrl may cause the agent to contact internal services, cloud metadata endpoints, or other sensitive hosts and relay the response into Rocket.Chat.

Missing User Warnings

High
Confidence
96% confidence
Finding
The integration creation logic allows outgoing webhooks to arbitrary URLs, enabling persistent exfiltration or command-and-control style callbacks from the Rocket.Chat server once created. In this skill context, that is especially dangerous because it turns one-time tool access into durable server-side data transmission to attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The monitor automatically downloads user-supplied attachments to persistent local storage under `~/.openclaw/tmp` without any size limits, content restrictions, or user-facing disclosure in this component. In this skill context, that increases privacy and disk-consumption risk because untrusted chat participants can cause local file writes on the host running the agent, potentially storing sensitive content longer than expected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function accepts a user-supplied media path, resolves it to an arbitrary local filesystem location, and then reads and uploads that file to Rocket.Chat without any authorization, path allowlisting, or explicit user confirmation. In an agent context, this can exfiltrate sensitive local files such as SSH keys, tokens, config files, or application secrets if an attacker can influence the mediaUrl argument.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The asset upload action reads an arbitrary local file path from user-controlled parameters and sends its contents to the remote Rocket.Chat server. In an agent environment, this creates a clear local file exfiltration primitive: a prompt or untrusted input could cause sensitive host files to be read and uploaded without any path restriction, disclosure, or consent boundary in this code.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code will read any locally accessible file path and transmit the contents to an external Rocket.Chat server without any confirmation or disclosure at this layer. In an agent setting, that creates a straightforward exfiltration primitive for secrets such as SSH keys, config files, tokens, or local documents if an attacker can influence the upload path.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal