ClawHub

openclaw menubar

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real macOS OpenClaw menu bar wrapper, but it needs Review because it handles OpenClaw authentication tokens and session access in under-secured ways.

Review before installing. Use it only if you trust this publisher and are comfortable with a local Electron app reading your OpenClaw gateway token, opening a menu bar process, and connecting to your OpenClaw gateway. Avoid dragging sensitive files into it unless you trust the configured gateway. The publisher should remove raw token logging, harden Electron settings, validate the custom protocol callback, avoid token-in-URL flows, and clearly disclose saved config/history behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill directs users to run shell scripts and relies on environment and shell capabilities, but it does not declare those permissions or clearly disclose the security-sensitive actions being taken. This weakens user consent and reviewability, because a seemingly simple UI skill can execute local commands and access host state without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a lightweight macOS menu bar wrapper, but the behavior described includes protocol handling, OAuth callback processing, reading auth tokens from ~/.openclaw/openclaw.json, persistent history/config storage, file attachment access, and message sending via CLI. This mismatch is dangerous because it conceals a much broader trust and attack surface than users would reasonably expect, including credential handling and local data exposure.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document asserts there are 'no security concerns' while describing an implementation that embeds a local web UI in an iframe with permissive sandbox flags and LAN fallback behavior. This is dangerous because it downplays real trust-boundary issues: if the embedded UI or fallback endpoint is exposed, manipulated, or reachable over the network, the menubar app may load and grant script-capable access to untrusted content under misleading assumptions of safety.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation states the app is cross-platform even though the skill metadata explicitly says it is macOS-only. This mismatch can cause users or downstream packaging systems to deploy the skill in unsupported environments, leading to failed installs, broken behavior, or accidental trust in inaccurate platform claims.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
Advertising Windows and Linux build artifacts for a macOS-only skill is a materially misleading operational claim. In a marketplace context, this can mislead users and reviewers, encourage unsupported installation paths, and mask missing platform-specific security review for non-macOS targets.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Listing Windows/Linux distribution channels and package metadata for a macOS-only skill extends the platform mismatch into publication guidance. This increases the chance of improper distribution, user confusion, and installation in unsupported environments where security assumptions and permissions may differ.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The closing checklist and summary reinforce inaccurate cross-platform support claims, prolonging the same misleading messaging throughout the document. While less direct than build instructions, repeated inconsistency increases the likelihood of operator error and weakens trust in the skill's stated constraints.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically installs ImageMagick with Homebrew if `convert` is missing, which expands its behavior from icon generation into system package management. Even though the goal appears convenience-oriented, silently adding software changes the host environment, may trigger network activity and privileged package operations, and can violate user expectations for a simple asset helper.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill registers a custom protocol handler and accepts `open-url` events, which expands the attack surface beyond a simple local menu bar wrapper. Any app or webpage able to invoke the custom scheme can deliver attacker-controlled callback URLs, and this handler performs only a regex match before forwarding the extracted token to the renderer with no state, origin, or flow validation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill invokes a shell command to send data into the main OpenClaw session, which exceeds the narrowly described menu-bar UI purpose and creates an unnecessary command-execution boundary. Even though the message argument is shell-escaped, the code still grants this UI component the ability to drive the CLI and influence the primary agent session, increasing attack surface and privilege abuse risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation phrases include very generic commands such as "enable menubar" and "add openclaw to my menu bar," which could be triggered unintentionally during normal conversation or by untrusted content relayed through other channels. Because the skill launches or enables a local app, unintended invocation could cause unexpected execution and user confusion, especially in multi-channel contexts like chat integrations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to run install and start scripts directly, including dependency installation, without warning about process execution, package installation, or the side effects on the local system. That is risky because users may execute unreviewed shell code and pull packages that can modify the environment, install dependencies, or start background processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented auto-discovery behavior reads local configuration and falls back from localhost to a LAN IP without warning about privacy or network trust implications. In this skill context, that makes the issue more dangerous because a menu bar app is expected to feel local and safe, yet it may silently connect to a broader-network endpoint where traffic, content origin, and exposure assumptions differ significantly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The primary user-experience section promotes zero-configuration behavior while omitting prominent disclosure that the app reads local configuration, accesses gateway tokens, and writes persistent settings. Because these actions touch sensitive local state and authentication material, under-disclosing them can undermine informed consent and surprise users about privacy- and system-relevant behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly encourages dragging files into the app and sending chat content to a gateway, but it does not clearly warn users that both messages and file contents are transmitted over the network to a specific host. In a chat/file-upload workflow, lack of disclosure can cause users to unknowingly send sensitive local data to a remote service, especially since the gateway is configured as a LAN endpoint rather than an obviously local-only IPC mechanism.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation promotes auto-discovery of the user's OpenClaw config and token, plus drag-and-drop file submission, without clearly warning that local secrets may be read and dropped file contents may be transmitted to the gateway. In a security-sensitive agent ecosystem, lack of informed-consent messaging can cause users to expose credentials or sensitive documents unintentionally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs `brew install imagemagick` immediately after printing a generic status line, without explicit user consent or a strong warning that software will be installed. In a skill intended to enable a macOS menu bar app, this is more dangerous because users would reasonably expect local icon generation, not automatic package installation and network-backed system changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client appends the authentication token to the WebSocket URL query string, which can leak credentials through logs, browser/devtools history, proxy logs, crash reports, or other telemetry that records URLs. In a macOS menu bar app handling persistent background connections, this is more dangerous because connection URLs may be logged during startup/reconnect and long-lived tokens could allow unauthorized access to the gateway.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code logs the received OAuth token directly to the console, which can expose bearer credentials in logs, terminal history, crash reports, or developer tooling. Anyone with access to those logs could replay the token and impersonate the user until the token expires or is revoked.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads a local authentication token from the user's config and appends it to a URL fragment before loading it into a BrowserView. Even though the target is localhost, placing credentials in a URL increases exposure through renderer-accessible location data, client-side scripts, browser history/debugging surfaces, and accidental leakage via copied URLs or logs; in this file, the main window is also configured with insecure webPreferences, which makes the surrounding context more dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Attached files are fully read into base64 and staged for transmission without any explicit user-facing disclosure about where their contents will go, what service will process them, or whether sensitive local data may leave the machine. In a menu bar app designed for quick interaction, this reduced friction increases the chance of accidental exfiltration of sensitive files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The app persists conversation history to `~/.openclaw/menubar-history.json` without informing the user, potentially storing sensitive prompts, responses, and attachment metadata on disk unexpectedly. Undisclosed local retention creates privacy and confidentiality risk, especially on shared machines or systems with backups, indexing, or lax file permissions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The model value is concatenated directly into the shell command without escaping or allowlisting, creating a command-injection risk if an attacker can influence that parameter. Because this runs through exec(), shell metacharacters in model could execute arbitrary commands on the host, which is significantly more dangerous than the already-intended CLI action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal