ClawHub

ProxyBase

Security checks across malware telemetry and agentic risk

Overview

This proxy-management skill is not clearly malicious, but it needs Review because it can persistently reroute OpenClaw gateway traffic through a third-party proxy and stores proxy/API secrets locally.

Install only if you trust ProxyBase and want the agent to create a third-party account, handle paid crypto proxy orders, and store API/proxy credentials locally. Prefer per-command proxy use or manually sourced env files. Avoid inject-gateway unless you intentionally want OpenClaw gateway and exec traffic routed through the proxy; run --dry-run first and keep track of the .bak service backup for restoration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill is explicitly user-invocable and documents extensive shell usage, but the manifest does not declare corresponding permissions. Undeclared shell capability undermines user/operator visibility into what the skill can do and increases the chance of risky execution without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill claims to purchase/manage proxies, but its documentation also includes modifying the OpenClaw gateway systemd service and restarting local services. That is a materially broader and more privileged behavior than the stated purpose, creating a trust boundary violation where users may invoke a purchasing skill that can also reconfigure host networking.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented ability to modify the OpenClaw gateway's systemd service is outside the core API purchase/management scope described by the manifest. Hidden or under-disclosed administrative behavior makes the skill more dangerous because it can alter system routing/persistence under the guise of a routine proxy-management tool.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Changing a systemd service file and restarting the gateway is a privileged local system modification not justified by merely buying and managing proxies. If abused or triggered unexpectedly, it can persistently reroute agent traffic through a third-party proxy, affecting confidentiality, integrity, and availability of subsequent operations.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation contradicts itself by saying proxy passwords should never be exposed in chat while instructing the agent to announce SOCKS5 credentials to the user during polling. Exposing credentials in chat increases the risk of leakage through logs, transcripts, integrations, or other participants in the conversation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The inject-gateway command modifies a user systemd service file and restarts the OpenClaw gateway, which is a host-level side effect beyond simply purchasing or managing proxies. Even though it targets a user service rather than requiring root, it changes runtime network behavior for another component and can disrupt or redirect traffic without any interactive confirmation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code directly edits ~/.config/systemd/user/openclaw-gateway.service, injects proxy environment variables, reloads systemd, and restarts the gateway. That host-configuration capability is not necessary for core proxy ordering/rotation and materially increases the blast radius by letting the skill alter persistence and traffic routing of another local service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that the skill will automatically register an external account and store an API key locally with zero configuration, but it does not clearly warn users about the privacy, billing, and credential-management implications of that behavior. In the context of a proxy-purchasing skill that creates third-party accounts and handles payment workflows, silent credential creation/storage increases the risk of users unknowingly authorizing external service enrollment and persisting sensitive secrets on disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill auto-registers and stores credentials on disk without a prominent user warning or consent step. Silent credential creation and persistence can surprise users, expand secret exposure on the host, and leave long-lived API keys in predictable locations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explains how to source proxy environment variables that will transparently route future traffic, but does not clearly warn users that subsequent network requests may be sent through a third-party proxy. This can expose sensitive traffic or alter system behavior in ways the user did not intend.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script applies a disruptive configuration change and restarts the gateway immediately, with no confirmation prompt, warning, or preview beyond an optional dry-run mode that is not required. This increases the chance of accidental service interruption and unintended traffic redirection, especially in an agent context where commands may be run non-interactively.

External Transmission

Medium
Category
Data Exfiltration
Content
Pass `callback_url` when creating the order:
```bash
curl -s -X POST "$PROXYBASE_API_URL/orders" \
  -H "X-API-Key: $PROXYBASE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"package_id":"PACKAGE_ID","pay_currency":"usdcsol","callback_url":"https://your-gateway/hooks/proxybase"}'
Confidence
76% confidence
Finding
curl -s -X POST "$PROXYBASE_API_URL/orders" \ -H "X-API-Key: $PROXYBASE_API_KEY" \ -H "Content-Type: application/json" \ -d

Credential Access

High
Category
Privilege Escalation
Content
├── config/
│   └── openclaw-config-snippet.json5 # OpenClaw config template
└── state/                            # Created at runtime
    ├── credentials.env               # Agent ID + API key (chmod 600)
    ├── orders.json                   # Tracked orders
    ├── .proxy-env                    # Active proxy ENV vars (most recent)
    └── .proxy-env-<order_id>         # Per-order proxy ENV vars
Confidence
84% confidence
Finding
credentials.env

Credential Access

High
Category
Privilege Escalation
Content
├── config/
│   └── openclaw-config-snippet.json5 # OpenClaw config template
└── state/                            # Created at runtime
    ├── credentials.env               # Agent ID + API key (chmod 600)
    ├── orders.json                   # Tracked orders
    ├── .proxy-env                    # Active proxy ENV vars (most recent)
    └── .proxy-env-<order_id>         # Per-order proxy ENV vars
Confidence
84% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
This skill uses **zero-configuration** registration. The first time any
ProxyBase command is run, the agent automatically registers and stores
credentials in `{baseDir}/state/credentials.env`. No manual API key setup
or `openclaw.json` edits are required.

For manual or debugging use, you can also register explicitly:
Confidence
92% confidence
Finding
credentials.env

Credential Access

High
Category
Privilege Escalation
Content
### Interactive (Chat with Human)

1. **Load credentials**: `source {baseDir}/state/credentials.env 2>/dev/null`
2. **Register if needed**: Run `bash {baseDir}/proxybase.sh register` if no key
3. **List packages**: Show user available packages with prices
4. **List currencies**: Show user payment options (default: usdcsol)
Confidence
86% confidence
Finding
credentials.env

Credential Access

High
Category
Privilege Escalation
Content
### Interactive (Chat with Human)

1. **Load credentials**: `source {baseDir}/state/credentials.env 2>/dev/null`
2. **Register if needed**: Run `bash {baseDir}/proxybase.sh register` if no key
3. **List packages**: Show user available packages with prices
4. **List currencies**: Show user payment options (default: usdcsol)
Confidence
86% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal